Research

A little birdie pointed me to the latest post over at the Metasploit blog. For those of you that don’t know, Metasploit is the best thing to hit penetration testing since sliced bread. To oversimplify, it’s a framework for connecting vulnerability exploits to payloads. Before Metasploit it was a real pain to convert a new vulnerability into an actual exploit. You had to figure out how to trigger the vulnerability, figure out what you could actually do once you took advantage of the vulnerability, and inject the right code into the remote system to actually do something. It was all custom programming, so script kiddies had to sit idly by until someone who actually knew how to program made a tool for them. The Metasploit framework solves most of that by creating a standard architecture where you can plug the exploit in one end, then choose your attack payload on the other. Assuming you can script (or find) the exploit, Metasploit takes care of all the difficult programming to connect to convert that exploit into something that can actually do anything. New exploits and payloads appear on a regular basis, and the tool is so easy even an analyst like me can use it (web interfaces are just so friendly). Commercial equivalents used by penetration testers are Core Impact and Immunity Canvas. I tend to think the commercial versions are more powerful, but the open source nature of Metasploit means exploits usually appear faster, and it’s plenty powerful. Besides, any script kiddie (or analyst) can download it for free and be up and running in no time (full disclosure- I use Core Impact and Metasploit in live demos, and am on the Daily Dave email list run by Immunity). So what the heck does this have to do with turning off wireless? Metasploit is working on a module to transition kernel mode exploits into user mode. This is, say, exactly what you’d need to plug in a wireless driver hack on one side, and use that to create a reverse shell under root on the other. Sound familiar? This was one of the tricks Maynor demonstrated in the Black Hat wireless video (and why he didn’t need root). The kernel runs in ring 0- this is below any concept of a user account. Think of it as the world before root even exists. When you exploit something in the kernel you’ve bypassed nearly every security control and can do whatever you want, but since you’re running at such a low level, without any user accounts, the kinds of commands we’re used to are a lot more limited. You can’t list a directory because “ls” or “dir” don’t exist yet. If you want a reverse shell, to execute user commands, or whatever you need to convert that kernel mode access into userland access- where concepts like user accounts and shells exist. In Maynor’s case he dropped code in the kernel to create a reverse shell to his second system over a second wireless connection. Tricky stuff (so I hear, it’s not like I can do any of this myself). The Metasploit team specifically cites wireless driver hacks as one of their reasons for adding this to the framework. With confirmed vulnerabilities on multiple platforms and devices this could foretell a new wave in remote exploits- attacks where you just need to be in wireless (including Bluetooth) range, not even on the same network. I’ve heard underground rumors of even more vulnerabilities on the way in all sorts of wireless devices. The module isn’t complete, but everything in Metasploit tends to move fast. Based on this advancement I no longer feel confident in leaving my wireless devices running when they aren’t in use. I’m not about to shut them off completely, but my recommendation to the world at large is it’s time to turn them off when you aren’t using them. More device driver hacks are coming in 2007, and wireless will be the big focus. Share:

Before I delve into this topic I’d like to remind readers that I’m a Mac user and Apple fan. We are a 2 person, 2 Mac, 3 iPod, 2 Airport Express household, with another Mac in the plans this spring. By the same token I don’t think Microsoft is evil and consider some of their products to be quite good. That said I prefer OS X and have no plans to switch to Vista, although I’ll probably run it in a virtual machine on my Mac. What I’m about to say is in the nature of protecting, not attacking, one of my favorite vendors. Apple faces a choice. Down one path is the erosion of trust, lost opportunities, and customers facing increased risk. On the other path is increased trust, greater opportunities, and happy, safe, customers. I have a lot vested in Apple, and I’d like to keep it that way. As most of you probably know by now, Apple shipped a limited number of video iPods loaded with a Windows virus that could infect an attached PC. The virus is well known and all antivirus software should stop it, but the reality is this is an extremely serious security failure on the part of Apple. The numbers are small and damages limited, but there was obviously some serious breakdown in their security controls and QA process. As with many recent Apple security stories this one was about to quietly fade into the night were it not for Apple PR. In Apple’s statement they said, “As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.”. As covered by George Ou and Amrit Williams, this statement is embarrassing, childish, and irresponsible. It’s the technical equivalent of blaming a crime victim for their own victimization. I’m not defending the security problems of XP, which are a serious epidemic unto themselves, but this particular mistake was Apple’s fault, and easily preventable. While Mike Rothman agrees with Ou and Williams, he correctly notes that this is just Apple staying on message. That message, incorporated into all major advertising and marketing, is that Macs are more secure and if you’d just switch to a Mac you wouldn’t have to worry about spyware and viruses. It’s a good message, today, because it’s true. I bought my mom a Mac and talked my sister into switching her small business to Macs primarily because of security. I’m overprotective and no longer feel my friends and family can survive on the Internet on XP. Vista is a whole different animal, fundamentally more secure than its predecessors, but it’s not available yet so I couldn’t consider that option. Thus it was iMac and Mac mini city. But when Apple sticks to this message in the face of a contradictory reality they expose themselves, and their customers, to greater risks. Reality is starting to change and Apple isn’t, and therein lies my concern. All relationships are founded on trust and need. (Amrit has another good post on this topic in business relationships). One of the keystones of trust is security. I like to break trust into three components: Intent: How do you intend to treat participants in a relationship? Capability: Can you behave in compliance with your intent? Communication: Can you effectively communicate both your intent and capability? Since there’s no perfect security we always need to make security tradeoffs. Intent decides how far you need to go with security, while capability defines if you’re really that secure, and communication is how you get customers to believe both your intent and capability. Recent actions by Apple are breaking their foundations of trust. As a business this is a critical issue; Apple relies heavily on trust to grow their market. Trust that their products work well, are simple to use, include superior capabilities, and are more secure. Apple’s message is that Macs are secure, simple, elegant, and reliable. Safe and secure is a powerful message, one that I suspect (based on personal experience) drives many switchers. When I told my cab driver today that Macs have no spyware or active viruses he was stunned. Should Apple lose either their intent to provide superior security, their capability to achieve security, or their ability to communicate either of those, they face reasonable risk of losing customers, or at least growth opportunities. Security, today, is one of Apple’s cornerstones. Anything that erodes it increases their business risks. At the same time, should communication disconnect from either intent or capability, Apple places then places both their trust relationship, and their customers, at risk. Take my favorite snake-oil salesmen at Diebold– by having no intent to secure their products and no security capabilities in their products, and communicating that the products are secure, they create huge potential for security failures. Less educated customers buy products thinking they’re secure, but the products are so flawed it places these customers (the voting public) at extreme risk. Software vendors have done this in the past- claiming products are secure and covering up failures in the hopes the customers and prospects won’t notice. Recent events indicate that Apple may stay on an impossible message (perfect security) and face failures in capability despite the best intent. The entire Black Hat debacle showed Apple pushing the message so hard that the debate lived far longer than needed, exposing more of the public to a potential security failure than would have otherwise noticed, drawing the attention of researchers who may now want to prove Apple isn’t invincible, and losing the trust of some of us in the industry disappointed by PR’s management of the incident. The iPod virus infections shows a lack of capability (security QA in shipping products) and poor communications (failure to take full responsibility). It’s a very small problem, but their arrogant approach to spinning the story lead me to question how they might respond to more serious issues. We have, over the course

I’ve noticed a marked decrease in the customer service from my phishers. Lately spam messages have been originating from “On-line Bank” and other generic addresses. Spelling mistakes are returning, and links no longer even pretend to go to a real bank’s site. Where’s the customer service guys? What’s wrong- is my business no longer important to you? Can’t you even make the effort to personalize your fraudulent messages and entice me with your ever-so-mangled, yet poetic, use of English? Phishing must be big business these days because, like other big businesses, they no longer seem to make the effort to acquire and retain customers through personal services. I really think I’m worth the effort. At least make me think you’re trying. Share:

Stiennon covered the McAfee/Onigma deal over at Threat Chaos this weekend. Although I knew about the deal I try and avoid vendor/industry coverage here at Securosis, and, to be honest, it really isn’t worth covering. (Onigma is tiny and agent based, not really the direction the market is heading, and by the time McAfee integrates the tech they’ll be WAY behind the ball). But Richard does make an interesting statement; defining data protection as leak prevention + encryption + device management. It’s a reasonable start, but far too narrow. For the past 5 years I’ve covered data security pretty exclusively; long before it was cool and sexy. Until recently data security’s been the red-headed step-child of the security world- always hanging out on the side of the playground, but the last kid you’d pick for your kickball team. These days that little red-head is all grown up, making his way through the early draft picks and getting read to go pro (take THAT you overused security metaphors). I like to define defensive security as four main security stacks (listed in a data/application centric order, you network guys tend to look at it differently): Host Security: a secure place to put stuff Data Security: securing the stuff Application Security: securing the things that access the stuff Network Security: securing the environment around the stuff On the data security side I took about two years to develop a framework to pull together the disparate technologies being thrown at the problem, from database encryption, to DRM, to activity monitoring. While I can’t dig in too deep here (since all that intellectual property is controlled by my employer), I can still outline the framework since, at this point, all the information’s been used in multiple press interviews and public presentations. The Data Security Hierarchy consists of: Content Monitoring and Filtering (sometimes called leak prevention) Activity Monitoring and Enforcement Logical Controls Encryption Enterprise DRM Access Controls These are just high-level general layers that sometimes encompass multiple technologies. CMF is usually a single technology, but, for example, there are about 10 different encryption technologies/markets. Overall there are about 20-30 different technologies shoved into the different layers, some with a very narrow scope (like portable device control), others with a pretty broad scope (like CMF). Data security isn’t just a bunch of additive technologies tossed together. Just as we spent the 90’s and early 00’s devising models, frameworks, and approaches to network security, we need to do the same for data security. Protecting data is very different from protecting networks and one of the bigger challenges in security in the coming years is to manage it strategically… …and it ain’t just encrypt everything. Share:

While I was out running around the country, turns out there was an interesting security article in my own backyard. Seems the local school system can’t keep up with those innovative students exploring their network. A students was caught after hacking a teacher’s computer to steal a copy of an upcoming test. “As a parent, I think it’s kind of scary all the technology, because the kids know more than we do,” she said. “They have different lines of communication compared to when we were growing up.” Haug added that it’s unfortunate that a student smart enough to hack into a computer did not put his intelligence to better use. But she said she is pleased that another student reported the hacker. “That’s pretty remarkable,” Haug said. “That says a lot about their morals and that they’re ethical enough to do that.” I suspect it was another kid hitting on the same girl, but I suppose even high school kids have their ethical moments. My brother in law works on the tech education side of a high school and has relayed some interesting stories about the problems of intelligent students on public education networks. At Symposium I met with a group from a school system struggling to limit access to MySpace and porn. The kids were avoiding URL filters by tunneling through their home computers. I used to work in higher ed, but that was in the days where we didn’t really care (well, I did, but not the higher admins). I really feel for those of you working in public schools. School boards and activist parents (the ones not very involved with their kids lives, who scream and rant at the school system for fun) hold witch trials, complete with the public burning at the end, if any student so much as glances at a stray boob. Not that theses kinds of parents actually monitor their kid’s Internet and TV usage at home, using it as an educational tool. When it comes to censorship, China has nothing on an inflamed school board. Here’s the problem. Smart teenage boys + technical skills + the Internet = boobs. You can take your best precautions, but you’ll never stop them. Every high school probably has one kid who can tunnel HTTP over SSH over DNS to their proxy at home and bounce out to MyBoobs.com. I made some suggestions to the clients that should reduce their exposure significantly, but also told them that if they’ll face disciplinary action if that smart kid goes public, they might as well polish up the resumes now. What’s a school district to do? Start by accepting you can’t control the Internet. Then install whatever reasonable security controls you can afford, especially a good URL filter and endpoint protection for teachers’ computers. Be smart about it- high school students will need to research breast cancer and read National Geographic; don’t low-ball and buy some tool that won’t even let them research Essex County. Most important? Educate teachers and parents. Parents should actively participate online with your kids. Nothing else will work. And there’s no humanly possible way to keep a teenage boy from his boobs. Trust me. Share:

Microsoft is making key changes to Vista to avoid antirust problems. They’re adding an API to PatchGuard, and loosening control on the Security Center. From the ZDNet article: In another change, Microsoft had planned to lock down its Vista kernel in 64-bit systems, but will now allow other security developers to have access to the kernel via an API extension, Smith said. Additionally, Microsoft will make it possible for security companies to disable certain parts of the Windows Security Center when a third-party security console is installed, the company said. … Microsoft will provide a way to ensure that Windows Security Center will not send an alert to a computer user when a competing security console is installed on the PC and is sending the same alert, the company said. Opening the kernel through a secure API is a reasonable idea- not as secure as a complete lockdown, but it does enable some valuable security tools outside of antivirus and host intrusion prevention that would have been locked out (like activity monitoring). MS would have had to do this eventually. I’m not as thrilled with the Security Center change- I want the operating system itself to warn me when core security functions are changing. In both cases I hope code signing will be required to limit hacker exploitation of these functions, but I doubt MS will be allowed to enforce it. Share:

Shimel has a good post on the whole 0day vulnerability thing. He nails it. This has been a pet peeve of mine for a long time. A real 0day isn’t the time from when a vulnerability is announced until a patch is released. A real zero day is a vulnerability no one knows about except those who discovered it. A zero day exploit is an attack against a non-public, unknown vulnerability. A real zero day is bad juju. It slices through any signature based security defenses since there’s no known signature. If it’s on a common port, and you don’t detect it through some sort of behavioral based or impact based technique (like the server dying), it’s hard or impossible to stop. A smart attacker with a true zero day implementing a targeted attack is extremely hard, if not impossible, to stop. Odds (for us) are a little better if they’re dumb enough to go for the mass exploit, thus setting off all sorts of alarms (maybe). There are very few true zero day attacks. Even fewer on a large scale. Be thankful they don’t happen more often. Those “0day” protection tools you bought or compiled on your own probably won’t help a whole lot. Layer the defenses, follow best practices, and realize you can’t stop them all. Share:

I picked up the ever-ubiquitous USA Today sitting in front of my hotel room door this morning and noticed an interesting article by Jon Swartz and Byron Acohido on cybercrime markets. (Full disclosure, I’ve served as a source for Jon in the past in other security articles). Stiennon over at Threat Chaos is also writing on it, as are a few others. About 2-3 years ago I started talking about the transition from experimentation to true cybercrime. It’s just one of those unfortunate natural evolutions- bad guys follow the money, then it takes them a little bit of time to refine their techniques and understand new technologies. I can guarantee that before banks started buying safes and storing cash in them, the only safecrackers were bored 13 year old pimply faced boys trying to impress girls. Or the guys who make the safes and spend all their time breaking the other guy’s stuff. Trust me, I have a history degree. We all know financial cybercrime is growing and increasingly organized. Unlike most of the FUD out there, the USA Today article discusses specific examples of operating criminal enterprises. Calling themselves “carders” or “credit card resellers” these organizations run the equivalent of an eBay for bad guys. And this is only one of the different kinds of criminal operations running on the web. We, as an industry, need to start dealing with these threats more proactively. We can’t win if all we do is play defense. I used to teach martial arts, and we’d sometimes run an exercise with our students where they’d pair of for sparring, but one person was only allowed to defend. No attacks, no counterattacks, blocking only. The only way you can win is if the other guy gets so tired they pass out. Not the best strategy. This is essentially how we treat security today. As businesses, government, and individuals we pile on layers and layers of defenses but we’re the ones who eventually collapse. We have to get it right every time. The bad guys only have to get it right once. Now I’m not advocating “active defenses” that take down bad guys when they attack. That’s vigilantism, and isn’t the kind of thing regular citizens or businesses should be getting into. Something like a tar pit might not be bad, but counterattacking is more than a little risky- we might be downing grandma’s computer by mistake. One of the best tools we have today is intelligence. We in the private sector can pass on all sorts of information to those in law enforcement and intelligence who can take more direct action. Sure, we provide some intelligence today, but we’re poorly organized with few established relationships. The New York Electronic Crimes Task Force is a great example of how this can work. One of the problems those of us on the private side often have with official channels is those channels are a black hole- we never know if they’re doing anything with the info we pass on. If we think they’re ignoring us we might go try and take down a site ourselves, not knowing we’re compromising an investigation in the process. Basically, none of this works if we don’t develop good, trusted relationships between governments and the private sector. When it comes to intelligence gathering we in the security community can also play a more active role, like those guys on Dateline tracking pedophiles and working with police directly to build cases and get the sickos off the street. Those of you on the vulnerability research side are especially suited for this kind of work- you have the skills and technical knowledge to dig deep into these organizations and sites, identify the channels, and provide information to shut them down. We just can’t win if all we do is block. While we’re always somewhat handcuffed by playing legal, we can do a heck of a lot more than we do today. It’s time to get active. But I want to know what you think… Share:

Martin McKeay has a great addition to my post on experts. I’d like to add one point to this: There’s always going to be someone who knows more about the subject than you do. I don’t care how good you are, somewhere there’s someone who understands what you’re working on better than you do He’s right. Really right. I just want to know who the heck that guy at the end of the chain is. Probably some monk in the mountains with a metaphysical relationship to the OSI model. Share:

I’m on the plane heading back home from Symposium and have to admit I noticed a really weird trend this week. Maybe not a trend per se, but something I haven’t heard before, and I heard it more than once. In two separate one on one meetings clients told me they’d reorganized their security teams and were now calling them “risk management”. No security anymore, just risk management. I’m a big proponent of risk management. I even wrote a framework before it was cool (the Gartner Simple Enterprise Risk Management framework if you want to look it up). Now all the kids are into it, but I get worried when any serious topic enters the world of glamorous trend. Usually it means anyone with a tambourine starts jumping on the bandwagon. Problem is, without a lead guitar, drummer, keyboardist, or even, god forbid, a bassist, there’s a lot of noise but they ain’t about to break out in a sudden rendition of Freebird. Probably. Not. Risk management is a tool used by security practitioners, and security is a powerful tool for risk management. If you catch me in a rare moment of spiritual honesty I’ll even admit that security is all risk management. I even often recommend that security report to a Chief Risk Officer (or your title-happy equivalent). Risk management is mitigating loss or the potential for loss. Security is one tool to reduce risk, and a good security team uses risk management as a technique for balancing the costs and benefits of security controls and deciding where to focus limited resources. (At this point I’d like credit for not expanding the innuendo of the title with some… uh… circular arguments. I’m not completely juvenile. Probably. Not.) But dropping the name “security” is just silly. Both security and risk management are established disciplines with related but different skills. Risk management plays the higher-level role of evaluating risk across the enterprise, helping business unite design risk controls, measuring exposures, and taking action when those exposures exceed tolerance. It’s a guiding role since risk managers will NEVER have the same depth of domain expertise as someone with years of experience in their particular business specialty. Security is one of those specialties (and notice I didn’t just say “information” security). Yes, good security professionals have strong risk management skills since nearly every security decision involves risk. That doesn’t mean we’re experts in all types of risk. It does mean we’re domain experts in ensuring the confidentiality, integrity, and availability of either IT systems (for us geeks) or the physical world (for us goons). It’s security. Don’t re-label it risk management. It’s okay to report to risk management, but it’s still security. Share: