Research

The Oracle Critical Patch Update for October 2008 was released today. On the database side there are a lot of the usual suspects; DMSYS.ODM_MODEL_UTIL seems to be patched in every CPU during the last few years. All in all the database modifications appear minor so patch the databases according to your normal deployment schedules. It does seem that every time that I view this list there is an entirely new section. It is not just the database and Oracle Apps, but BEA, Siebel, JD Edwards, and the eBusiness suite. As a security researcher, one of the tough chores is to figure out if these vulnerabilities inter-relate, and if so, how any of these in conjunction with The others could provide a greater threat than the individual risks. I do not see anything like that this time, but then again, there is the BEA plug-in for Apache that’s flagged as a high risk item by itself. Without details, we cannot know if the BEA bug is sufficient to compromise of a web server and reach the associated vulnerable databases. The BEA plug-in was awarded Oracle’s highest risk score (10 out of 10), so if you’re using that Apache plug-in, PATCH NOW! I am guessing it is similar in nature to the previously discovered buffer overflow described in CERT VU #716387 (CVE-2008-3257). However, there is no mention of a workaround in this CERT advisory as with this previous attack, and in general Oracle is not very chatty about the specifics on this one. And I love the teflon coated catch-all phrase in the vulnerability ‘description’: “…which may impact the availability, confidentiality or integrity of WebLogic Server applications…”. Helpful! Friends I have contacted do not know much about this one. If you have more specific details on the threat, shoot me an email as I would love to know more. Share:

Thankfully most criminals are not that bright. Article in the Arizona Republic this morning about a group of three Mexican nationals who were on a little shopping spree in the Valley of the Sun. The trio was going to various electronic retailers and making purchased with fake credit cards. The cards appeared to be legitimate card stock from legitimate Mexican banks, but account numbers from valid U.S. accounts. The trouble starts when they buy a laptop from a WalMart, going out to the car, only to find that the laptop was missing. The WalMart employees legitimately messed up, and the box they provided the ‘customers’ was empty, and no one seemed to notice until after the group left the store. In what I assume was an unintentional remake of the classic scene ‘Somebody ripped off the thing I ripped off’, they got mad and went back to the store to complain. Loudly. To the point where the WalMart employees called the cops, panic ensued, with the three running out of the store flinging bogus credit cards around the parking lot … allegedly. Reports of their yelling ‘Whoop-whoop-whoop-whoop’ have not been independently confirmed. The three men were arrested and are being held on forgery and fraud charges pending an investigation. The real question in my mind will be where did the valid credit card account numbers originate from and who provided them. They were stolen from somewhere, and if the crooks had 19 cards made up, that should be enough to provide a statistically meaningful sample to match up with a point of origin. We have seen a lot of credit card number theft over the past several years, which tend to be highly publicized. We see much less on the use/fraud side. I am going to be interested to see what the police uncover … if it makes the news that is. Share:

There was some great hype in the wireless security world this weekend thanks to an article that made it on to Slashdot, and some FUD pumping so-called security consultants. Elcomsoft issued a press release that they can now crack WPA keys WAY faster using the GPUs (Graphics Processing Units) on the latest video cards. It’s kind of cool, and for wireless pen testing the tool sounds useful, but some of the quotes in the article from the security firm GSS (who I never heard of) are the typical garbage: “This breakthrough in brute force decryption of Wi-Fi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data,” said GSS managing director David Hobson. “As a result, we now advise clients using Wi-Fi in their offices to move on up to a VPN encryption system as well.” … Hobson added that the development could spur a step back from wireless to wired network connection in sensitive installation, such as financial services organisations, particularly concerned about data privacy. Idiots. These guys are forgetting two things- first, this method doesn’t work AT ALL against an enterprise installation (RADIUS) of WPA. George Ou has more on this. Second, as the original article added as an update, this attack only speeds up brute forcing. Use a long, strong passphrase for your WPA key and you’re fine. Rob Graham also has more on this. WPA-PSK still sucks to manage, and keys go stale, but use a good one and you’re fine. GCC should go back to playing Team Fortress or something with those video cards, because they were either misquoted, or clueless. Share:

What a wild, wacky, crazy week. I have a funny suspicion a lot of stock brokers and investors are scraping together their spare change for some major liquid escapes this weekend. As a small business we haven’t felt the impact yet, but we are keeping a close eye on things and preparing to adjust our strategy as needed. Security deals are definitely slowing- we sense an impending rush of acquisitions, and a general feeling of nervousness. The need for security never goes away, but if you aren’t making plans to protect yourself through this crisis, you might go away. Someone responded to a Twitter post of mine that this will be over before the next president takes office; I can’t possibly imagine that happening. Meanwhile, we watched the usual spectacle of the Presidential debate. Since I already know who I’m voting for, I’m not sure why I watch them at all. Like NASCAR, I suppose I don’t want to miss out when someone smashes into the wall and bursts into flames. On the security front, this week we saw more clickjacking details emerge, Apple release a security update, the World Bank get totally pwned, and Symantec make a major acquisition at a good multiple. But don’t get too excited; we also know a lot of investors pushing early exits at low multiples to save what they can. I don’t mean to focus so much on the finance side of the security world, but I think we’re going to see it bleed into our daily operations as the vendor landscape shifts around. Over here at Securosis central I continued to geek out and work on our infrastructure. We may be small, but we’re trying to set up some cool collaboration tools to support us as we grow. For you other small business types, the wiki/blog/calendar/mail group integration of OS X Server works surprisingly well, although I don’t think it would be my first choice for an external web server. I just wish it would index documents attached to the wiki. I also ordered a Drobo for our backups and I’ll let you all know how it works. Oh- and on my run yesterday I saw two coyotes in the park near our house watching me. Very cool. Webcasts, Podcasts, and Conferences: Martin and I have started broadcasting the Network Security Podcast live as we record it. In episode 123 (my luggage combination!) we talk about electronic voting, China spying, and clickjacking. If you didn’t catch it in the October print edition of Macworld, here’s the online version of the firewall article I coauthored with Chris Pepper. I wrote an article on mobile phone networks for TidBITS that made the front page of Slashdot. I think it’s about the 6th time I’ve hit the front page this year, which is pretty wacky. The TidBITS server had a massive failure unrelated to the Slashdot load right after the article was linked (oops). I was quoted over at Dark Reading on the license changes to Metasploit 3.2. I know I wrote that quote, but reading it now it comes off strangely ambiguous. For the record, I think it’s a great change that will really drive some interesting things in the pen testing software world. Adrian and I were invited by Jeremiah Grossman to a lunch event here in Phoenix with his company (WhiteHat Security) and F5. It was nice to finally get a demo of the F5/WhiteHat integration (WhiteHat generates dynamic WAF rules on the F5 box to block validated vulnerabilities; it’s pretty cool). Jeremiah also showed us his clickjacking code/demo. I almost wondered if I downplayed it too much after seeing it at work. On the bad side, some slimeballs from a local ISP decided to show up, enjoy a free lunch, and proceed to hit up every single one of us there as their personal sales prospects. I pretended I was out of business cards, but they snagged one of Adrian’s so he’ll get the call. Talk about low. Favorite Securosis Posts: Rich: Clickjacking Details, Analysis, and Advice. I tried to put some context around it, and talk about the overall impact. Direct from Rsnake is some advice on limiting the exploit. Adrian: Symantec Buys MessageLabs. Symantec pays a hefty price, but they land a leader in SaaS email security and fill out their messaging security portfolio. Favorite Outside Posts: Adrian: I had trouble naming any single post my favorite for the week. There was a most shocking, a scariest, a most depressing and a most sadly illuminating. I am going with the illuminating look into the minds of Sequoia Capital and their reactions to the current financial crisis. This should look a lot like the tech crash of 2001, and frankly, I hope this information was conveyed to their portfolio companies 9-12 months ago as the window to react has passed. Rich: Gunnar Peterson’s Innovators, Imitators, and Idiots. Just a great post that I need to blog about more fully later. Top News: The World Bank is seriously compromised. We need a new word for pwn. Apple releases a big OS X security update. Asus ships EEE PCs infected with a virus. Good job guys. ATM skimmers now include a wireless modem for SMS messages. The bad guys increase their embedded devices skills. Blog Comment of the Week: Christophe’s comment on My “Policies, Plans, and Procedures” post: Alas, I work in a former communist country where people were used to signing awful things, and hide whatever they did from upper eyes. I sure have an agreement, signed by all users, stating their responsibility, but that means almost nothing to them. Time for happy hour with some of out local financial analyst friends. Smart guys who are doing well through this mess, so we plan on getting them loaded and sucking up the advice. Share:

I don’t remember the exact quote from King of the Hill (an animated series here in the US), but it went something like this. Bobby: But how come you don’t want Luanne to go out with guys but you want me to date girls? Dad: It’s called the double standard, Bobby. Don’t knock it – we got the long end of the stick on that one. Alan Shimel clearly got the short end of the stick when his account was hacked. Heck, he got the short end of the nub, and so would pretty much all of us. Odds are high you’ve heard that the college kid that hacked Palin’s account is being indicted and could face jail time. Twitter was all aflutter yesterday with concerns that the potential punishment exceeds the crime. Personally, I believe if you break the law, you face the consequences. I also harbor no illusions that our justice system is blind. It’s clear if you mess with a popular politician, they will frack you as hard as possible, in every way possible Then bury you. Then pee on your grave. Then pee on your dog before they bury it next to you. Your family and friends? You really don’t want to think about that. And when you mess with a maverick Republican? Well, let’s better hope they can’t track down anyone that ever bothered to smile in your general direction. Had the perpetrator broke into a government account I would expect a different set of consequences. But a personal account should be treated the same as Joe Six Pack’s. Heck, Alan’s break in involved documented financial fraud, unlike Palin. Not that I think we should destroy the lives of every college kid that virtually shoplifts a virtual candy bar (punishment should suit the crime), but over-tolerance only breeds contempt. Just call me a dreamer, but as a realist I know I’m just wasting my words on this particular topic. Still, I’ve heard from businesses that unless credit cards or other hard financial losses are clearly involved it is essentially impossible to get law enforcement to take action; they just don’t have the resources. As such we need to focus on our own monitoring and incident response. If you can’t prove someone really stole your cash, you won’t get the attention of law enforcement. If you can’t give them a description, don’t expect the case to go very far. It’s really no different in the physical world. A few years ago, when I moved to Phoenix, we screwed up and left the garage door open at night. One of those silly mistakes when you think the other person took care of it. Neighborhoods are routinely cruised out here, and when I woke up and noticed it was too late. There went my road bicycle, most of my climbing gear, and, worst of all, a small pack containing my original Star Wars figures I’d saved since I was a kid and some other very personal mementos. We filled out a police report but never expected any action (no, they won’t take fingerprints if someone steals your bike), and after our deductible it wasn’t even worth filing an insurance claim. I made the rounds of the local pawn shops, but no joy. Society accepts a certain level of losses, since we don’t have the resources to continue otherwise. That doesn’t, of course, apply when something gets the press attention of the Palin hack. Sometimes it’s about the losses, and other times it’s about looking good in the press. Share:

Someone at Google has created Mail Goggles. It’s a little Gmail utility to keep you from sending out email while, uh, under the influence. Jon Perlow, the author, had this to say … [snip] “Sometimes I send messages I shouldn’t send. Like the time I told that girl I had a crush on her over text message. Or the time I sent that late night e-mail to my ex-girlfriend that we should get back together,” [/snip] And who hasn’t, really? It’s no wonder I am not smart enough to work at Google. I would never have through this up, never mind actually coding it. I checked, and it’s really there, under the Lab’s section, along with a dozen or so other productivity tools. I really think they could be onto something here … just consider this from a ‘Reputational Risk’ perspective; this could be a hot product for Postini. One too many Martini’s with lunch? Drowning your sorrows as you watch your stock portfolio plunge? A little testy that your “spa day” executive retreat was cancelled? No problem, Google will quarantine your outbound email! And if your too drunk to remember to turn this off, your email probably should be sequestered. Hoff was right, Google really is becoming a security company. Now, where did I leave that glass of bourbon … Share:

Well, I did not see this coming. Today Symantec Corp has agreed to acquire Message Labs for $695 million. That represents close to a 5x multiple on $145M in revenue. While market conditions are not rosy, this price is not out of line for a segment leader who is seeing growth in the highly competitive email security market. This appears to be a good strategic move; they address their largest weakness in email security (SaaS), they can leverage the continued convergence of security offerings in messaging and data protection, and there is a substantial cross-selling opportunity. If memory serves, the 19,000 customers of MessageLabs represents an order of magnitude larger customer base Brightmail brought to the table in the 2004 acquisition. It’s hard for me to fault this acquisition. The primary growth opportunity in the email sector appear to be on the hosted services side, and the bet here is being made that SaaS is the model for the future. Today you can get Brightmail as software, hosted email security or an appliance, so it’s not like you did not have the choice, but the focus was clearly not on SaaS. MessageLabs, along with Google’s Postini, are the current leaders in this space with hosted services. The danger for for the vendors who offer email security as a service is the ease of migration from one platform to the next. It’s not like software or hardware purchases where the investment & employee training creates a degree of ‘stickiness’. Migration from one hosted email security vendor to the next is relatively low, and Symantec will be under immediate pressure to keep the MessageLabs customer base happy as they are in serious competition from Postini. Postini is dirt cheap, so failure to convey the overarching vision or a significant alteration to pricing could result in a very quick loss of customers. Still, I don’t see that happening as Symantec offers a low risk choice for many companies. A large stable firm with strong commitment to the segment and the breadth of product offerings makes a compelling choice. Upstarts with better technology just cannot compete with the mature, high availability, low risk vendors. As the other major growth opportunity in this segment is the convergence of messaging, web and DLP security feature sets, customers are more commonly viewing these as similar problems and want to address with a unified solution. It is difficult for companies to offer highly competitive products in all areas, but Symantec is now able to take a leadership role in each. And what does this mean for Brightmail? Undoubtedly this will be rolled out as a hybrid model for now, with at least a short term commitment to existing customers. Symantec can hedge their bets on what the market will want in terms of technology for the short term. In response to John Thompsom’s quoate, yes, today’s customers have a great choice as far as the type of solution they choose, but my guess is the Brightmail investment will slowly atrophy, and Symantec will migrate customers onto the more profitable hosted platform. Share:

In the last post on Email Security, I commented on how easy it was to add outsourced email security services onto your existing email security deployment. That adding on an extra layer of anti-spam filtering on top of what you have not only provides an increase in the effectiveness of filtering, but also reduced the processing load on your existing hardware. But email security service vendors have been adding outbound email, data and web security offerings to their portfolio on top of their existing offerings, and these services solve different problems and offer different value propositions. Most companies I speak with state that 95~97% of the email that hits their servers are spam. A large percentage contain viruses, spyware and inappropriate content. The switch is cost effective and ‘painless’ in terms of administration and maintenance, and the large service providers tend to have very current and effective solutions. But it is worth noting that the problem you are solving is not protecting sensitive corporate information, rather keeping garbage out of your system. If you don’t see spam and your computers have not been infected, you have been successful. From the customer’s perspective, outbound email security offers many of the same advantages as inbound. As most companies have a very positive experience with inbound service, adoption of an outbound email security service is a natural extension of those advantages you enjoy today. It takes very little work to route your outbound email to a third party provider. These providers offer a canned set of security policies out of the box so you can be up and running in minutes, in conjunction with well designed web interfaces to customize and tune email (or even web security) policies. But the problem being set being addressed is very different; intellectual property leakage, use of private customer information, inappropriate content, violation of corporate policies and even bot-net detection. These problems are more complex and require policy and system verification. Just because you outsourced the operation does not mean you removed the responsibility of audit and security verification of the system itself. Specifically what do I mean by that? If all of your corporate correspondence is being routed through a third party provider, you need to make sure that they are secure, and their policies are in line with yours. Remember, the information you are sending out is all of your corporate email, your policies for enforcement, and possibly all of the web browsing history. The service providers offer ad-on email retention services for ‘compliance’, but as some of the data is stored for their own backup and recovery processes, your data will be stored for some period of time. How is privacy maintained? Who has access to the data? Is there verification of integrity? When and how is the data disposed? What the vendor will be selling you is the filtering service, the administrative interface, and the storage. What you need to ask for is their security policy, their data retention & data destruction policies, and audit reports for changes in permissions, data access and alterations to your data. The vendor will provide you a report on what was filtered and blocked according to policy; in addition you need reports on the operational controls around the system. If these services are being marketed to you as ‘must-have’ for compliance, then the vendor must be able to provide their own policies and audit trail of their service. The vendor will need to provide some degree of transparency both to their methods and processes in general, but specifics on who or what has access to your data. I know a lot of this sounds incredibly obvious, but I have yet to run across a company who has requested this information from their outbound email security provider. Share:

I was catching up with Rob Newby’s blog and this post on dealing with security policies vs. standards/processes caught my eye. Although policies form the foundation for our security programs (at least they should), I find that more often than not they are completely misused by many of my clients. While I’ve noticed definite improvement over the past few years, I still often walk into organizations and see big 3 inch binders full of their security policies. Rob does a great job of breaking these out, but I’d like to take it a step further. I’m going to dig into some nitty-gritty details, but feel free to skip to the end where I tell you why none of this parsing of language matters much. Here’s how I like to divide up the world of security gove ance documentation:200810071218.jpg Policies are high-level strategic governance with executive sponsorship. Policies should be short and to the point, since those who sign off on them don’t need to know the technical details. An example might be, “we shall monitor all database activity based on the sensitivity of the data and legal or contractual requirements”. Keep in mind, that since policies should be signed off by senior management you want to keep them generic enough that you don’t have to go back to the CEO/CIO/CFO/COO every time you want to change a firewall configuration or AV product. The next layer down are the high-level tactical documentations- plans and standards. The security plan is how you intend on achieving the policy, but it’s still not at the level of specific steps. Keeping with our policy above, the plan would specify the contractual requirements, basic data classification, which activity will be monitored, and so on. While plans define how security will do things, standards define how everyone else has to do things. Below that are your specific implementation documentations- processes, guidelines, and procedures. Here’s where you get into the bitty-gritty of actual implementation and step by step guides. A process is a repeatable series of steps to achieve an objective, while procedures are the specific things you do at each of those steps. Keeping with out example above, the process would define how monitoring occurs (e.g. third party DAM tool), and the procedure is which bits to flip within the tool. Yeah, I think that’s a whole lot of paper and a huge time sink myself. Here’s a slightly more pragmatic, and somewhat repetitive, way of looking at things: Policies are still high level strategic governance with executive sponsorship; that never changes. Short and sweet since it makes it easier to get them approved, and you want o have to change them as little as possible. I don’t really care what you call below that, but you should have a security plan for implementing your policies. Plans are managed at the CISO or security director level (whoever is in charge) and change more frequently. You don’t want to have to go to the CEO to change your plans. At this layer you also have your standards- which, if you think about it, is the next layer of gove ance. CEOs sign off on policies, and CISOs sign off on standards. Below that is where you detail how the heck you’ll accomplish all this gove ance. You document processes, list our procedures, and issue guidelines and configuration standards. This stuff will change all the time, and shouldn’t necessarily need the CISO to sign off on it unless it breaks with the layer above. The simpler the better, but if you don’t write this stuff down in an organized way you’ll eventually pay the price. By breaking it down into these three main layers, you can more easily change both the minutiae and the big picture as you adapt to changing conditions. Share:

Looks like the cat is out of the bag. Someone managed to figure out the details of clickjacking and released a proof of concept against Flash. With the information out in public, Jeremiah and Robert are free to discuss it. I highly recommend you read Robert’s post, and I won’t try and replicate the content. Rather, I’d like to add a little analysis. As I’ll spell out later, this is a serious browser flaw (phishers will have a field day), but in the big picture of risk it’s only moderate. Clickjacking allows someone to place an invisible link/button below your mouse as you browse a regular page. You think you’re clicking on a regular link, but really you are clicking someplace the attacker controls that’s hidden from you. Why is this important? Because it allows the attacker to force you to interact with something without your knowledge on a page other than the one you’ve been looking at. For example, they can hide a Flash application that follows your mouse around, and when you go to click a link it starts recording audio off your microphone. We have protections in browsers to prevent someone from automatically initiating certain actions. Also, many websites rely on you manually pressing buttons for actions like transferring large sums of money out of your bank account. There are two sides to look at this exploitation- user and website owner. As a user, if you visit a malicious site (either a bad guy site, or a regular site that’s been hit with cross site scripting), the attacker can force you to take a very large range of actions. Anytime you click something, the attacker can redirect that click to the destination of their choice in the context of you as a user. That’s the important part here- it’s like cross site request forgery (really, an enhancement of it) that not only gets you to click, but to execute actions as yourself. That’s why they can get you to approve Flash applications you might not normally allow, or to perform actions on other sites in the background. As with CSRF, if you are logged in someplace the attacker can now do whatever the heck they want as long as they know the XY coordinates of what they want you to click. As a website owner, clickjacking destroys yet more browser trust. When designing web applications (which used to be my job) we often rely on site elements that require manual mouse clicks to submit forms and such. As Robert (Rsnake) explains in his post, with clickjacking an attacker can circumvent nonces (a random code added to every form so the website knows you clicked submit from that page, and didn’t just try to submit the form without visiting the page, a common attack technique). Clickjacking can be used to do a lot of different things- launching Flash or CSRF are only the tip of the iceberg. It relies heavily on iFrames, which are so pervasive we can’t just rip them out. Sure, I turn them off in my browser, but the economics prevent us from doing that on a wide scale (especially since all the advertisers- e.g. Google/Yahoo/MS, will likely fight it). Clickjacking is very difficult to eliminate, although we can reduce its risk under certain circumstances. Because it doesn’t even rely on JavaScript and works with CSS/DHTML, it will take a lot of time, effort, and thought to eliminate. The fixes generally break other things. After spending some time talking with Robert about it, I’d rate clickjacking as a serious web browser issue (it isn’t quite a traditional vulnerability), but only a moderate risk overall. It will be especially useful for phishers who draw unsuspecting users to their sites, or when they XSS a trusted site (which seems to be happening WAY too often). Here’s how to reduce your risk as a user: Use Firefox/NoScript and check the setting to restrict iFrames. Don’t stay logged in to sensitive sites if you are browsing around (e.g., your bank, Amazon, etc.). Use something like 1Password or RoboForm to make your life easier when you have to enter passwords. Use different browsers for different things, as I wrote about here. At a minimum, dedicate one browser just for your bank. As a website operator, you can also reduce risks: Use iFrame busting code as much as possible (yes, that’s a tall order). For major transactions, require user interaction other than a click. For example, my bank always requires a PIN no matter what. An attacker may control my click, but can’t force that PIN entry. Mangle/generate URLs. If the URL varies per transaction, the attacker won’t necessarily be able to force a click on that page. Robert lays it out: From an attacker”s perspective the most important thing is that a) they know where to click and b) they know the URL of the page they want you to click, in the case of cross domain access. So if either one of these two requirements aren”t met, the attack falls down. Frame busting code is the best defense if you run web-servers, if it works (and in our tests it doesn’t always work). I should note some people have mentioned security=restricted as a way to break frame busting code, and that is true, although it also fails to send cookies, which might break any significant attacks against most sites that check credentials. Robert and Jeremiah have been very clear that this is bad, but not world-ending. They never meant for it to get so hyped, but Adobe’s last-minute request to not release caught them off guard. I spent some time talking with Robert about this in private and kept feeling like I was falling down the rabbit hole- every time I tried to think of an easy fix, there was another problem or potential consequence, in large part because we rely on the same mechanisms as clickjacking for normal website usability. Share: