Research

Say you are an on-line retailer: Do you ever check to make sure your web site functions? If you don’t, start! Here are a few examples of why this is a good idea: Failure 1: When you email out a promotional flier to your user community, but the promotional form rejects the user login because the user email account you mailed the flyer to cannot be found in your database, odds are your sales response is not going to meet expectations. Failure 2: When you on line order form rejects purchases because the zip code does not match the state, but your web form lacks an entry for state, odds are your sales response is going to be nil. State of confusion … Failure 3: When your customer wants to do you the courtesy of pointing out some flaws that may limit revenue, the form you ask the customers to fill out should actually exist. Presenting potential customers with a FAQ when they click a form submission link is in essence telling them ‘RTFM!’, and a great way to alienate your want-to-be-buyers. When you are in a highly competitive market segment, you really want to check your web site for obvious bugs before the last day of the quarter. Wake up Parallels!!! P.S. I should say that if it was not for an exceptionally nice sales rep named Melinda, this effort would have been abandoned. Share:

The Securosis team is attempting to regroup and prepare for a busy Q4. It took three full days, but I am fully migrated into the Mac Universe and engaged in a couple of research projects. Now productive, I can finally start work on a couple research projects. Rich has left HQ in search of coffee, quiet and a security muse while he catches up on writing projects and white papers. But even though we have a short term ban on travel and conferences, there is a lot to talk about. Here is our summary of this weeks blogs, news and events. Webcasts, Podcasts, and Conferences: This week on the Network Security Podcast 123, guests Robert “Rsnake” Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security as they discuss their new clickjacking exploit. Favorite Securosis Posts: Rich: Impact of the Economic Crisis on Security. It doesn’t matter if you are a vendor or practitioner, we’ll feel the effects of this crisis, but in a predictable way. Adrian: Email Security. It’s getting cheaper, faster and easier to implement, but with some potential privacy issues depending on how you go about it. Favorite Outside Posts: Adrian: Brian Krebs post on lawsuits against ‘Scareware Purveyors’. Finally. Infecting someone’s machine with spyware and using it as a marketing and sales conduit is akin to stealing in my book. Now if they would only go after the purveyors of this scare tactic. Rich: Fyodor explains (probably) the looming TCP attack. Fyodor, creator of NMAP, does an excellent job of explaining how the big TCP DoS attack likely works. Top News: The recovery bill. Law makers look panicked, and the market goes down every time they get close to a ‘solution’. The TCP Denial of Service attack. Nothing to panic about, and we’ll write more on it, but very interesting. Blog Comment of the Week: Chris Pepper’s comment on Rich’s “Statistical Distractions” post: [snip]… I refuse to use unencrypted email, but that”s to the SMTP/IMAP/POP/webmail server. But for email we have to keep in mind that the second hop – to the destination SMTP server – is almost always plaintext (unencrypted SMTP). So it’s more about protecting the account credentials than about protecting the email itself, but someone gaining full access to my whole multi-gigabyte mail store would really really suck. …[/snip] Now, I am off to The Office for the Securosis weekly staff meeting. We hope you all have a great weekend. Share:

There’s been a bunch of new information coming out the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read are: Fyodor’s discussion of either the same, or a similar issue. Richard Bejtlich’s overview. Rob Graham’s take on the potential attack. Here’s what I think you need to know: It is almost certainly real. Using this technique, and attacker with very few resources can lock up the TCP stack of the target system, potentially draining other resources, and maybe even forcing a reboot (which could trash the host OS). Anything that accepts TCP connections is vulnerable. I believe that means passive sniffing/routing is safe. The attack is obvious and traceable. Since we are using TCP and creating open connections (not UDP) it means spoofing/anonymous attacks don’t seem possible. Thus, I’d be more worried about a botnet that floods your upstream provider than this targeted attack. This is the kind of thing we should be able to filter, once our defenses are updated. In other words- a bad attack, but a moderate risk. That said, there are aspects of this that still concern me and we need to keep in mind: We don’t know if our assumptions are correct. This could be a different, and much more serious, technique. Such as something spoofable. Unlikely, but possible. Nothing says a botnet can’t use this- and thus make filtering and tracing a real pain. Imagine a botnet rotating this attack technique around to different nodes. It could support more efficient botnet attacks, that could then drop to regular flood mode if it doesn’t think the more efficient direct mode is working. We don’t know it doesn’t do something to the router infrastructure or passive monitoring. Again, unlikely based on the information released, but I’d hate to dismiss this as concerning until we know more. Until there’s some sort of fix, the Defcon network and coffee shops near universities are really going to suck. Until this is fixed, small businesses and individuals are the most likely to suffer. An enterprise might be able to detect and drop an attack like this, but individual users and small business don’t have the resources. Get ready for vendor pouncing. Share:

Yesterday, following up after recording the podcast on clickjacking, I was talking with Robert Hansen about the TCP flaw some contacts of his found over in Sweden. He wrote it up in his column on Dark Reading, and Dennis Fisher over at TechTarget also has some information up. Basically, it’s massive unpatched denial of service attack that can take down nearly anything that uses TCP, in some cases forcing remote systems to reboot or potentially causing local damage. Codified in a tool called “Sockstress”, Robert E. Lee and Jack C. Louis seem to be having trouble getting the infrastructure vendors to pay attention. I can’t but help think it’s because they are with a smaller company in Sweden; had this fallen into the hands of one of the major US vendors/labs methinks the alarm bells would be ringing a tad louder. From what Robert told me, supported by the articles, this tool allows an attacker to basically take down anything they want from nearly anywhere (like a home connection). Robert and Jack are trying to report and disclose responsibly, and I sure as heck hope the vendors are listening. Now might be the time for you big end users to start asking them questions about this. It’s hard to block an attack when it takes down your firewall, IPS, and the routers connecting everything. One interesting tidbit- since this is in TCP, it also affects IPv6. Share:

Greg Young over at Gartner has a humorous post on possibly the best way to make money in network security- the “Security Silly Jar”. Just drop in a quarter anytime someone says something stupid from the list. My favorite is number 9: 9. software can”t be secure. Could you please at least try. If you don’t know Greg, he’s the lead for network security over at Gartner and someone definitely worth reading… Share:

Last night I managed to pull a serious Munson. My car battery was dead, so I jumped it from my wife’s car. Then both batteries were dead (her car literally shut down when I tried to start mine). Then my brother in law came over, and managed to jump both cars. We left them running, then turned them off- and both were dead again. One more trip from my brother in law and we were up and running. We drove around for a bit and then stopped to run an errand. We stopped, and restarted, one car at a time so we always had one running vehicle. Both restarted, so we ran them for a minute longer and then ran our errand. Come back, and both are dead. Mall security jumped her car, drove on the highways for 20 minutes, parked it at home. Dead. Dead. Dead. Her car is a hybrid, and we think my battery is dead and something about jumping it blew something in her electrical system. Good times, my friends. Good times. At least I get some amusement this morning out of this article with some of the usual statistical dribble used to scare people into buying products. There’s no need to go into detail- it’s just a survey talking about how few companies perform email encryption, how hard and manual it is, and how employees would use it more if it were easier. This is all, of course, tied into some Nevada law and sponsored by an email encryption vendor. They forget, of course, to mention how few compromises there are of unencrypted email. No reference at all to any real cases where encryption would have prevented the loss of personal data (never mind any fraud associated with said loss). In short, nothing useful to help you make any kind of risk decision. Remember, I’m not against numbers, nor am I against email encryption (I use it occasionally for business communications), but I am against silly numbers with no bearing to anything important. We need more quality metrics and surveys, not this dribble that likely won’t fool a single security professional into buying a product. You might, likely, use email encryption anyway, but this sure won’t affect your decision. Share:

Finally took the plunge last week- I went out and bought a Mac. Actually, I bought a couple of them. That was not what I originally intended, as my plan was to get a top-of-the-line MacBook Pro and a high-end monitor to go with it. But every time I sat down in front of my wife’s iMac, I was really impressed with the quality of the display and the simplicity of the machine itself. When I learned the 24-inch version had the Core 2 Duo at 3GHz, I was sold. Given the amount of travel I do I needed a laptop, so I picked up an entry-level MacBook as well. It worked out about even money as far as hardware costs, and it will only cost me a little more for software, so I kind of feel like I got two for one. For the last week I have not been blogging all that much as I have spent every waking hour moving files, downloading software, installing, configuring, and learning a bunch of new applications. I don’t think I have bought this much personal software before. And with Rich and myself reworking the Securosis infrastructure at the same time, it has been a hectic week. For those who do not know me; I started my career with UNIX; moved to CTOS; then a mixture of Windows, UNIX, and Linux for about 5 years; but over the last 8 years it has been almost all Windows PCs. So learning a new OS is no big deal, and the UI design on the Mac is pretty darn easy, which has helped smooth the transition. But I must say I am glad that there is a UNIX-based OS sitting underneath … makes me feel a little more comfortable and made the learning process faster. I wanted to share the experience as I was wondering if some people had come to the same conclusions that I have about the Apple products. First the MacBook: The MacBook is nice-looking, but nothing all that spectacular IMO. While the 2.4GHz Intel processor is fast and I like the OS, the keyboard is decidedly ordinary and the display is really not all that great. Contrast, color saturation and accuracy are all pretty poor. Tried to calibrate as best I could without tools, but I only think I am going to get so far with this effort. My real concern at the moment has been stability. I have only been running the machine for a couple of days and Mail has hung twice, and the machine would not respond to shutdown requests. I installed all of the patches I could and hopefully that will help. I also upgraded the machine to 4gb, and when I did, I found an interesting white residue caked on the pins of the DIMMs. I am wondering if the installers are putting talc or something on the pins to make insertion easier, but there was so much I have to wonder if there were memory errors. Seems to be more stable now and I am hoping for the best. The iMac- in a word, WOW! It is the nicest machine I have ever owned. Fast. Put 4 gig of memory in it. The aluminum keyboard has a great feel to it. Keep looking for the right mouse button, but that’s OK, I am retraining myself. But the most amazing thing about this box is the monitor. 24 inches of real estate. The color, depth and detail is stunning. It’s fun just to look at the pre-supplied backgrounds. And everything has worked without a hitch. Software installed in a fraction of the time of other platforms. The one time I messed up I simply drug the application to the trash, started from scratch, and was done in two minutes. The only anomaly I found is the machine is spec’ed for DDR2 800, but came with DDR2 667. Other than that, perfect. The MacBook is nice, but the iMac is why I am beyond happy. Hard for me to imagine that this is true, given the long line that I had to wait in when I went to the Apple store. Plus I know 5-6 people who just switched to Macs, and half the people I know are saving up to get iPhones. With a product that is this solid, I don’t think that they have a lot to worry about. Share:

‘This is a very interesting article by Robert Westervelt over at Tech Target, and I wanted to make a couple of follow-on comments. Way back when, as a DBA, my morning ritual was to get into the office, grab a cup of coffee, and review the database and web app logs. Just wanted to make sure that the databases were running smoothly and there was nothing unusual going on I had a single web app and 5 or so databases. Took about 30 minutes. But that was pre-tech collapse, where DBA’s only had 10 or so databases to manage. If you are managing 100 or more database, you are not reviewing logs on a regular basis without automation. Whether it be security, systems management or configuration management, you have to have help. And today, you are buying a tool for each, and of those, 2 of the 3 are not typically supplied by the database vendor or the tools vendor. We talk a lot about security products for databases here at Securosis, but few of them operate the way that DBAs and IT operations personal want them to work. Yes, I understand separation of duties and I understand that the DBA is not the best person to provide security analysis, but still, a single platform to provide all these operational aspects would make sense. I used to love to go to the IOUG events around the country. I used to give presentations at some, but I wanted to go because I always learned something from the lectures or presentations. There was such a wealth of knowledge, and when you have hundreds of DBA’s with unique problems and willing to experiment, they often run across very cool solutions. I ran across some Perl scripts once for data discovery that were really amazing, and I borrowed from this source as much as I could. It dawned on me that Oracle has an amazing resource here and does not leverage this for either their, or their users, benefit. The model I am thinking of is Firefox and the community plug-ins. It would be nice to have the ability to browse and download utilities from the community at large and try them out. OEM could really use that kind of lightweight option. And, yes, this means I have my doubts that Fusion Middleware is going to be leveraged by the people that manage Oracle platforms and databases. Share:

What do you think our new financial law will be? What piece of legislation will be enacted by our government to protect us from the greed that caused this current financial crisis? Last time it was Sarbanes-Oxley. Who will be the poster child for our current financial crisis? Who will be the “Keating 5” this time around? You know it is coming. It has every other time greed has torpedoed our economy. And it is an easy target for any politician when there is only one side to an issue. I mean, how many voters are pro-financial crisis? I am actually asking this as a serious question. I am really at a loss for a plan of action that would be effective in stopping financial institutions from making bad loans, or how the government could effectively regulate and enforce. The typical downside to bad business practices (falling stock value, bankruptcy) have been nullified with mergers and government funding. In this case the greed seemed to be evident from top to bottom, and not just within a company or region, but the entire industry. Financial institutions to the buyer and most of the parties in between. Yes, lenders skirted process and sanity checks to be competitive, but it took more than one party to create this mess. Buyers wanted more than they could afford, and eagerly took loans that led to financial ruin. Real estate agents writing the deals as fast as they could. Mortgage brokers looking for any angle to get a loan or re-fi done. Underwriters in absentia. Appraisers ‘making value’ to keep business flowing their way. You name it, everyone was bending the rules. So that is really is the question on my mind: what will comprise the new regulation? How do you keep businesses from saying ‘no’ to new business? How do you keep competitive forces at bay to reduce this type of activity from happening again? My guess about this (and why I am blogging about it) is that enforcement of this yet-to-be-named law will become an IT issue. Like Sarbanes-Oxley, much of the enforcement, controls and systems, along with separation of duties necessary to help with fraud deterrence and detection, will be automated. Auditors will play a part, but the document control and workflow systems that are in place today will be augmented to accommodate. Let’s play a game of ‘trifecta’ with this … put down the name of the company who you think will who will be the poster child for this debacle, the name of the politician who will sponsor the bill, and the law that will be proposed. I’ll go first: Poster Child: CountryWide Politician: John McCain Law: 3rd party creditworthiness verifications and audit of buyers If you win I will get you a Starbuck’s gift card or drinks at RSA 2010, but something. Share:

We had a killer episode of the Network Security Podcast this week as Jeremiah Grossman and Robert “Rsnake” Hansen joined us to talk a bit about their new clickjacking exploit. I definitely had some fun on this one, even though Jeremiah and Robert couldn’t dig too deeply into the details. We also managed to sneak in a bit on open source voting, and the top 10 ways to know you’ve been exploited. But mostly, you want to hear is making fun of each other. This was also one of our first episodes we streamed live. Although we record at irregular times, we plan on live streaming as much as we can. Just keep an eye on us on twitter (rmogull or netsecpodcast) for a few hours warning if you want to listen in and harass us over IM. You can download the episode here, and full show notes are at NetSecPodcast.com. Share: