Research

Very nice article by Ken Schachter over on the Red Herring site yesterday. Aladdin Knowledge Systems, the Israeli security firm that was recently in the news after acquiring the Secure Computing SafeWord product, was itself the target of a takeover bid. The bid comes from Vector Capital, the backers of SafeNet. The opening bid was rejected, but this looks like the typical negotiating dance, so I expect we will see more activity in the coming weeks. Aladdin has an interesting mix of encryption products as well as the eSafe line of web and content security appliances. It is not clear to me if Vector’s intention is to merge companies, but that would make sense. It While Aladdin has a great deal of overlap with what SafeNet provides, there are considerable synergies as well, both in the areas of a combined DRM offering, content filtering as well as Aladdin’s products possibly utilizing SafeNet hardware. Regardless of long term vision and synergies, with Aladdin Q2 revenue slump and 52 week low share price, they are an attractive target. It will be interesting to see how this plays out. Share:

Nice article over on MSN about data mining and analysis of credit card purchases to adjust people’s credit score. In a nutshell, some of the card issuers are looking at specifically what people are purchasing, not just payment history, in determining credit worthiness. Worse, they will adjust the credit score over time. So the FTC has file suit against at least one company, CompuCredit, for ‘deceptive’ marketing practices, which does not really capture the essence of the problem. I am not sure if it can be legally called a privacy violation, but it my mind this is exactly the heart of the issue. This goes well beyond my typical ‘beef’ with companies that use my personal data to my detriment. Yes, I admit that I do not like the fact that a credit score is a made up number by the credit industry, and the entire credit scoring system is for the credit industry, with nebulous guidelines on how we play this game. But more or less, pay your bill on time, get a decent score. But by examining what we purchase in the context of our credit heavy culture, and then associate a value judgment of that purchase, is a very slippery-slope. Any good data mining software, with access to complete purchase histories, will very quickly come up with a profile of who you are, what your preferences are, and categorize your choices as a risk score. Purchase something a credit agency does not approve of, and pay more for your home loan. Almost everything that you can buy could have a social value associated with it, and you will be ranked by the preferences and values of the institution who issues the credit. Through this sort of profiling of race, gender, ailments, addictions, affinities and other traits will be identified and penalized, which is the nature of the complaint against CompuCredit. And I would wager that the ability to detect sexual orientation or religious affiliation could be added if they chose to do so. In my mind, this is very much the definition of Redlining, and one of the many tangible examples of why I harp on data privacy so often. Hopefully the FTA will come down on them hard. And for those of you were not worried about this, I know a few security professionals whos’ week in Vegas will have their FICO skimming in the low 5’s if their purchases are being evaluated. Share:

For the record, yes, those hazmat suits are really freaking hot and sweaty. I guess that’s what they mean by, “vapor barrier”. No, nothing freaky is going on; that’s just a picture from an old practice. And that’s pretty much how I’m spending this week- training, practicing, and cleaning bathrooms. I’ve talked about the value of training before, and it’s one reason we’re constantly practicing those critical skills until they become second nature. At this point, putting on a hazmat suit (level A, B, or C) is second nature. That’s the only way to survive if I ever have to wear one during a real incident. It’s an opportunity I highly doubt I’ll ever experience, but it’s also the kind of thing you can only screw up once. One of the classes I’m taking this week is Basic Disaster Life Support. It’s a fairly new class that focuses on medical management in massive incidents from the natural (earthquakes) to the man made (blowing stuff up). The biggest lesson I’m taking away from this class isn’t some specific technique for managing a specific injury but a single general principle with direct applications in the IT world- What’s next? When donning a hazmat suit it means what’s the next step? Boots, mask, hood? Then, when something fails (and it will) what do you do next? In a disaster it means what happens after you’ve exceeded your plans. Finished getting all those patients out of your hospital when the big storm is coming in? Great, where are you going to send them next? Oh, the ambulances. Right, um, how many of them are there? Where are they going? When we plan for disasters that’s the one question we need to ask at every step, and keep asking. Forever. We need contingency plans for our contingency plans. It really isn’t any different in IT. The parallels to the business continuity side are easy to draw. What happens when the power goes out? Okay, the generators just ran out of gas, what next? The roads are flooded so you can’t get more gas, so what’s next? Same thing for security, except usually we’re talking defenses. Web application firewall? Great, what happens when some bad guy gets past it or they skip it by hitting the database from a compromised internal machine? How about if they had an 0day you didn’t know about and now own the machine? And eventually you’ll run out of answers, because at that point there’s either nothing to do or it’s time to just turn it all off, or let it burn and collect the insurance money. But through the process of constantly asking that question you’ll develop a methodical, mechanical approach to solve seemingly insurmountable problems. You’ll even learn that sometimes it isn’t just having the right answer, but continuously moving (or appropriately pausing) that eventually gets you past those obstacles. What’s next? Never assume. React faster, and better. Stay in school. Don’t do drugs. Share:

Securosis Guest Editorial On occasion we invite some of our non-blogging friends to steal our thunder. Jesse Krembs, known as Agent X to those of us at DefCon, is a network engineer at undisclosed locations out East. He’s one of the guys who keeps the tubes running, and, on occasion, loves a good rant. I couldn’t sleep last night. I’ve been thinking about the MIT/MBTA hacking controversy lately. Zack Anderson, RJ Ryan, & Alessandro Chiesa are not the victims of this saga, although that plays a lot better in the media. Truth is, the MBTA is the real victim here. I can completely understand exactly where the MBTA is coming from, and why they ran to the lawyers. They are out of their depth, dealing with smart kids screwing with their systems (and livelihood) in a very public manner. The MBTA’s not in the business of running secure systems- far from it, they are the business of moving people & making the trains run on time. This is a harrowing tasking, fraught with enough complications without some kids mucking around in the back office. The MBTA didn’t request a security audit; they got audited, in the same way that a burglar cases a house before breaking in, or a mugger sizes up a mark. But unlike a burglar just looking for a single score, as far as the MBTA could tell these students were cracking the entire system and teaching the public how to do it themselves. The worst part is this was 100% avoidable. The big mistake that the MIT boys made was to treat the victim like the enemy instead of like a client. What they did is valuable; valuable enough to get an “A” from Ron Rivest, valuable enough to be presented to a crowd at Defcon 16. Valuable enough that the MBTA is willing to pay lawyers to shut them up and sort it out. If the MIT students had disclosed what they had found to the MBTA first in an honest and forthright manner, I wouldn’t be writing this. Had they done the responsible thing, everyone could win, the MIT kids could have had an awesome summer gig securing the MBTA, the MBTA & the people of Boston could be more secure. Maybe that sounds idealistic, but the MIT name carries enough weight the odds are they could have engaged in a real project, not an adversarial relationship. The baddies wouldn’t know much more then they know now. The MIT boys could even have still given their talk at DefCon. Instead, with all the arrogance of youth & higher education, the boys from MIT sco ed contact with the MBTA. They made the MBTA the enemy; the ogre in the cave, without even giving them a chance. And let’s be honest, it isn’t like this was a security issue affecting the health and safety of the train-riding public; it targeted revenue generation, and releasing the vulnerability details didn’t do anything to help the public at large. Well, the law-abiding public. Please grow up; in the connected world there are very few ogres in caves any more, and they don’t let you ride their trains. The difference between black hats and white hats is a line, and it’s a gray one. But occasionally it gets a little contrast. When you treat the person or organization with a security problem like a victim or and enemy, then you’re the bad guy. You’re basically fucking them over, sometimes hard, sometimes gently, but it’s still a screw job. When you treat them like a partner, then everyone wins. Sure, sometimes they don’t want partners, and sometimes you have to go public because they put the rest of the world at risk, but you don’t know that until you try talking to them. Finally I should note that in the end the only people winning in this case are the lawyers; the kids won’t win in the way they want, nor will the MBTA. The lawyers, on the other hand, always get paid. I understand the principle of free speech, but at the same time I also don’t believe in yelling “FIRE!” in the movie theater. The right of free speech is a gift from our Founder Fathers; use it responsibly. Finally, when you start to hack the grown-up systems of the world, be prepared to behave like adults. /rant -Jesse Share:

As many of you know, I’m more a washed -up paramedic than a security analyst. My youthful indiscretions tended to involve ambulances and fire trucks (you’d be amazed at all the fun things you can do with them when no one is looking). Although I’m just an EMT these days, I’m still on a federal response team for disasters and other large incidents. In a couple hours I’ll be heading out to wear uniforms for a week and sleep with 60 other people in an undisclosed location (don’t worry, I’m not breaking opsec by revealing that). I’m just a low level grunt on the team but find that a little manual labor does the soul some good on occasion. I may still get some writing done since we should have a fair bit of down time, but I won’t be very responsive over email. A day after that, I head off for a real vacation – my wife and I are cruising Alaska before it all melts. If I try to work on that trip I’ve been told I better practice my cold water swimming skills. Still, I’ll be checking email for emergencies. The next couple of weeks will definitely be ones of contrasts. Share:

Next week I’ll be out of the office on one of my occasional stints as a federal emergency responder. I haven’t had the opportunity to do much since we responded to Katrina, and, to be honest, am surprised the team still lets me hang on (it’s in Colorado, I’m in Arizona, and I don’t get to train much anymore). Who knows how much longer I’ll get to put a uniform on- the politics of domestic response are a freaking mess these days, with all the cash funding the war, and I won’t be surprised if some of the more expensive (and thus capable) parts of the system are dismantled. Hopefully we can hang on through the next election. Anyway, enough of my left wing liberal complaints about domestic security and on to incident management. Although I haven’t written much about it on the blog (just the occasional post), one area I talk a lot about is incident response and disaster management. Translating my experiences as a 9-1-1 and disaster responder into useful business principles. I’m frequently asked where people can get management level training on incident management. While SANS and others have some technology-oriented incident response courses, the best management level training out there is from FEMA. Yes, that FEMA. For no cost you can take some of their Incident Command Systems (ICS) courses online. I highly recommend ICS 100 and ICS 200 for anyone interested in the topic. No, not all of it will apply, but the fundamental principles are designed for ANY kind of incident of ANY scale. If nothing else, it will get you thinking. And while I’m at it, here’s a definition of “Incident” that I like to use: An incident is any situation that exceeds normal risk management processes. Although I’ve sat through a lot of the training before, I never actually went through the program and test. I’m fairly impressed- these are some of the better online courses I’ve seen. Share:

One of the sessions I enjoyed at DefCon was Nathan Hamiel and Shawn Moyer’s, “Satan is on My Friends List”. Aside from directly hacking the security of some of these sites, they experimented with creating fake profiles of known individuals and seeing who they could fool. Notably, they created a profile (with permission) for Marcus Ranum on LinkedIn, then tried to see how many people they could fool into connecting to it. Yes, folks, I fell for it. In my case it wasn’t that big a deal- I only use LinkedIn as a rolodex, and always default to known email accounts before hopping into it. But that’s not how everyone sees it, and many people use it to ask questions, connect to people they want to be associated with but aren’t really connected to. Someone behind a fake profile could spoof all sorts of communications to either gather information or manipulate connections for nefarious reasons (pumping stock prices, getting fake references, disinformation campaigns, and so on). All social networks are vulnerable to manipulation, real world or virtual, but when you remove face to face interaction you eliminate the biggest barrier to spoofing. I avoid some of this by only linking to people I know, have met, and have a reason to keep in contact with. If you’ve sent me a link request because you read the blog or listen to the podcast, and I haven’t responded, that’s why. Otherwise it loses any usefulness as a tool for me. One of Shawn’s recommendations for protecting yourself is to build a profile, even if you don’t actively use it, on all the social networks. Thus I now have MySpace and Facebook pages under my real name, tied to a throwaway email account here at Securosis. WIll it help? Maybe not- it’s easy for someone to create another account with my name and a different email address, but after I tie in a few friends that should reasonably draw people to the real me, whatever that’s worth. One unexpected aspect of this was a brief blast of mortality as Facebook splattered my high school graduating class on a signup page. I haven’t really stayed in touch with many people from high school days; in my mind’s eye they were frozen in the youth and vibrance of those few years we felt we ruled the world. Seeing them suddenly years later, long past the days of teenage hopes and dreams, was a visceral shock to the system. No, we’re not all that old, but at 37 we’re far past any reasonable definition of youth. Damn you Mr. Moyer. I can forgive you for mildly pwning me in your presentation, but smashing open my vaulted teenage memories with a lance of reality? That sir, I can never forgive. Share:

During the second day at Black Hat, somewhat depressed by yet another futile attempt to locate coffee and fighting human gridlock, I decided that it was no longer worth the effort and simply sat down in the nearest conference. And I am glad I did as that random selection of presentations turned out to be one of my favorites of the week. The presentation was called Visual Forensic Analysis and Reverse Engineering, presented by Gregory Conti and Erik Dean. I would offer a link for you, but I have been unable to find the slide deck on line. It is on the CD that was included in the Black Hat goodie bag for those of you who attended, and some of the discussion points are located here (http://lcamtuf.coredump.cx/oldtcp/tcpseq.html) The Conti & Dean presentation shows how, by using different graphing techniques, to identify the contents and even reverse engineer binary files. By performing ?dot plots? and ?byte plot? examples of binary files, you can very quickly detect certain patterns within the binary file that tell you what is contained within the file. Much like a human fingerprint, uuencoded content, text, Word documents, bit mapped images, jpegs, compressed files and encrypted files each had a unique visual signature. For files that may contain several items, it was easy to pick out the begining and ending points of blobs within the file, and then examine specific binary objects in more detail. They showed a couple of examples of extracting out image files from a huge binary file in less than 30 seconds. You know you are a geek when: I remember in the early ’90s that when debugging code or core dumps I was often just winging it. You really did not have a valid stack trace, so you were rummaging around memory looking for something unusual, or some pattern that gave you a clue as to what went wrong. It was more art than science, and it was usually some visual clue or something that just did not look right when you found the root cause of the bug. Again in the mid-90s I can remember loading binary files into a text editor to attempt to, ahem, circumvent and ?no-op? out the licensing module which could often be located through a visual inspection. Of course, this was purely for academic purposes. This same technique was effective in hacking video game binaries and save files (slide 46 of the presentation shows a Neverwinter Nights database file as an example). And it was all based upon looking at the binary structure for patterns and experimenting with value substitutions to alter game functionality. But the graphic tools take this to a whole new level. How do you know your PRNG is producing random numbers? During the presentation, the evolution from these early generation tools and methods was discussed, and then they showed off tools that provide different 3 dimensional graphic representation of what data looks like. One of the examples that I was most impressed with was the graphs that show a distribution for numbers. These are examples of PRNG output (http://lcamtuf.coredump.cx/newtcp/). Random? It is not particularly easy to demonstrate the pseudo-random number generator you are producing random numbers, or collecting entropy to see your random number generator. But by graphing them in this way, you can very quickly see if you have reasonably good randomness ? or not close at all. Anyway, I thought this was a very cool forensic tool for binary files. Check out the graphs as they are very impressive. Share:

I ran across this article last week in the Arizona Republic regarding redesign of the Internet. This was very much in line with one of the recurring topics that seemed to be discussed in the halls at Caesars Palace during Black Hat: how might we change the Internet if we were to start from a clean slate? There are clearly many motivating factors to do so, from the fragility and dependency issues of the Internet on DNS as discussed by Kaminisky , email spam , DDOS, use of a basically insecure connectionless protocol for the vast majority of transactions, to encrypting all Internet traffic to keep government and other entities from spying on us, and the list goes on and on. I have not been following the organizations history all that closely nor am I aware of any published research at this time. I will admit to viewing the GENI effort with a bit of skepticism. While the web site FAQ states ‘It is not a replacement for the Internet (or any other communications technology). Rather the purpose of GENI to test and mature a wide range of research ideas in data communications and distributed systems’. Not sure if the intent with the statement is to underscore the intention to build something entirely new, or if this is hyperbole, but it is clearly at odds with the way the project is being marketed as “A massive project to redesign and rebuild the Internet”, which is why it makes news and why US National Sciences Foundation would consider $12 million in funding. This dichotomy makes me worried right off the mark. I always assumed the success of the Internet was because it was a cheaper and faster way to do things. Simple to understand, easy to use, freedom to say what you want, and almost free to participate. Yes, low cost helps, but the organic growth IMO is really about simplicity and freedom. And the more people who participate, the more information available, and more value. A ‘clean slate’ redesign of the Internet will certainly have design goals of greater reliability, accountability and security. These points are on the agenda’s of every Internet redesign discussion I have seen, and they will come with greater control, expense and monitoring of personal activity. The more I think about it, the more I believe what we need is not a new Internet, but one that sits parallel to the one we have today. The Internet we have today works great for sharing information, which is largely what it was indented to do. It was not designed to be secure, keep data private or conduct commerce. If the intention of the GENI project is to provide a secure medium for commerce in parallel, I am all for it. I am not eager to give up what I like about the Internet to solve the security issues at hand. Share:

During a recent eBay auction, when clicking the “Pay Now” button for an item I had won, I was taken off the eBay site, to a third party merchant site. The merchant site was attempting to verify address information and shipping options, and then forward me to PayPal. I tried going back into my eBay account and making the payment directly to PayPal several times, in an attempt to avoid the third-party site, without success. It appears that eBay is allowing third party merchants to insert their own code and web sites into the checkout process. What’s more, this particular merchant page was a mixture of secure and insecure content and some JavaScript. NoScript took care of the issue for me, but it leaves me wondering. I am not sure if it is my heightened sense of post-DefCon paranoia, but this just seems like a bad idea to me. If I were a hacker, wouldn’t I just love a way to insert myself into the payment process? With most security analysis processes, I start by examining trust relationships I can exploit. This tends to be fertile ground for logic flaws, and these trust points tend not to be closely inspected by users. If I can insert myself into an established trust relationship to launch my attack, I am far more likely to succeed, and this seems like an open window for me to do just that. Bogus image tags, XSS, XSRF, inline frames, or whatever attack du jour; it seems like a natural target for inserting myself between these two trusted entities. I am not saying that any particular merchant site is insecure at this time, but I am willing to bet that regardless of any vetting process third parties go through, their security is not uniformly as strong as eBay’s and PayPal’s. In general, I have no relationship with any of the third party merchant software, so I have no reason to trust the sites or their security. I make purchases on eBay with PayPal because I have a basic trust in their sites, processes, and security teams. This trust does not fully extend to every one of their affiliated merchants and third party sites, now and in the future. Not only that, the third party site offers me, the buyer, no added value, only potentially decreased security. From PayPal’s own “Top Ten Safety Tips”, which they provide with the Security Key, tip number nine is “Stay Safe on eBay: … Pay safely using PayPal, the secure payment method that enables you to shop without sharing your financial information with the seller”. But if the merchant has been linked into the process, and you have to go to a merchant site first, it is somewhat at the seller’s discretion. And if the merchant site has been hacked, all bets are off. I sent the question over to eBay and PayPal security and have not received a response, so I wanted to know what the community at large felt about this. Share: