Research

Another day, another breach – that’s not novel. A bunch of personal information (including driver’s license numbers) was stolen from Virginia Tech. But having the organization own up to the fact that the breach resulted from a human error is uncommon. Of the 144,963 individuals affected, only 16,642 provided their driver’s license numbers. According to school officials, the breach was a result of “human error” involving compliance protocols when dealing with the personal data. A forensic investigation into the issue revealed that the information was “partly” accessed through a Virginia Tech server in Italy. “The issue here is that someone on our staff goofed,” Larry Hincker, associate vice president for University Relations, said. Kudos to these folks for not blaming a super-sophisticated attack or the APT or any other way to skirt responsibility. They screwed up and lost data. It is also a reminder about the downside of poor security and IT operations. Photo credit: “Professional Strength [GOOF OFF]” originally uploaded by Chapendra Share:

Over at Network World Anton Gondalves wrote Security industry in ‘rut,’ struggling to keep up with cybercriminals: Dramatic changes are needed in multiple fronts if the security industry hopes to move ahead of cybercriminals, who are continuously finding new ways to breach corporate systems, experts say. Some technology pros say the industry needs to develop new technologies and architectures that send hackers back to the drawing boards. Meh. In many cases the technologies are already here, or deep into development. The problem isn’t a lack of innovation, but that people keep spending money on the same old crap. That’s a different kind of rut. Besides, no matter what we do, the bad guys will keep innovating around it, as they have been for thousands of years. There are a couple good bits deeper in the article, including: On the white hat side, security professionals get paid for how they defend, not what they share, and companies view knowledge as a competitive advantage. In addition, companies fear being sued by customers or partners, if the data shared relates to them. That is a big one, and worthy of a separate article. Share:

Hurt back yesterday Too much pain to write much now Haiku easier And don’t forget to sign up for our Black Hat cloud security training in December! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike’s Dark Reading article on Shiny and New. Rich’s Touch ID and Secure Enclave article was picked up by Daring Fireball, AllThingsD, and who knows where else. Dave Lewis at CSO: Stuffing The Social Media Genie Back In Favorite Securosis Posts Adrian Lane: Investigating Touch ID and the Secure Enclave. Really good analysis from Rich on the security implementation of Touch ID on the iPhone 5s. But I’m not buying the ‘article’ angle – he just wanted a cool new toy! Mike Rothman: Cybercrime at the Speed of Light. Everything can (and will) be gamed. Everything. Gal Shpantzer: API Gateways. Especially because it made @beaker jealous. Rich: Keep Calm and Bust out the Tinfoil Hat. Mike is supposed to be an engineer, not a history major. But this is exactly what I have been thinking. Plus, every other country is doing the same thing to the best of their ability. Other Securosis Posts Continuous Security Monitoring [New Paper]. Data brokers and background checks are a massive security vulnerability. Walled Garden Fail. Incite 9/25/2013: Road Trip. Firewall Management Essentials: Quick Wins. A Quick Response on the Great Touch ID Spoof. Favorite Outside Posts Adrian Lane: Meet the machines that steal your phone’s data. Interesting to see professional eavesdropping devices for mainstream law enforcement. Nothing state of the art, but it allows Officer Barbrady to jack a cell tower. Still, before Snowden nobody cared about this stuff. Mike Rothman: Apple’s Fingerprint ID May Mean You Can’t “Take the Fifth”. We’re entering (yet) another new age, when the legal system is nowhere near keeping pace with technological innovation. Interesting thoughts from Marcia Hoffman about the legal question of whether you can be compelled to unlock your phone (with presumably damning evidence on there) because biometrics are not protected under the 5th Amendment, while passwords would be. Rich: A TED talk by master pickpocket Apollo Robbins. This is more entertainment than learning (as are most TED talks), but damn. You may think you understand the limits of your perception, but you don’t. The last line is the real kicker. Dave Lewis: London schoolboy secretly arrested over ‘world’s biggest cyber attack’ Gal Shpantzer: Yahoo recycled email accounts may contain emails destined to old account owner. No matter how they try to talk this up, or what they do to recover, this is a mess. Research Reports and Presentations Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Quick Wins with Website Protection Services. Email-based Threat Intelligence: To Catch a Phish. Top News and Posts Chaos Computer Club breaks Apple Touch ID. A Survey of the State of Secure Application Development Processes. Just downloaded a copy. Review forthcoming. TouchID defeated: what does it mean? New CA law will let minors digitally erase their past. ‘Mr Big’ of UK cyber-crime among gang of eight arrested over £1.3million Barclays computer hijack plot in carbon copy of Santander scam Blog Comment of the Week This week’s best comment goes to Gunnar, in response to Cybercrime at the Speed of Light. HFT is about trading, not investing. Traders buy and sell every second of every day. Investors have multi year time horizons. That’s how ordinary should approach it, long term, buy and hold investment not as traders. These events which continue to happen on a more regular basis and show no signs of stopping, are worrisome, for traders. They can bankrupt themselves with their own algorithms, as one of the biggest Knight Capital did last year http://www.forbes.com/sites/halahtouryalai/2012/08/06/knight-capital-the-ideal-way-to-screw-up-on-wall-street/ Share:

Continuous Monitoring has become an overused and overhyped term in security circles, driven by US Government mandate (now called Continuous Diagnostics and Mitigation). But that doesn’t change the fact that monitoring needs to be a cornerstone of your security program, within the context of a risk-based paradigm. So your pals at Securosis did their best to document how you should think about Continuous Security Monitoring and how to get there. Given that you can’t prevent all attacks, you need to ensure you detect attacks as quickly as possible. The concept of continuous monitoring has been gaining momentum, driven by both compliance mandates (notably PCI-DSS) and the US Federal Government’s guidance on Continuous Diagnostics and Mitigation, as a means to move beyond periodic assessment. This makes sense given the speed that attacks can proliferate within your environment. In this paper, Securosis will help you assemble a toolkit (including both technology and process) to implement our definition of Continuous Security Monitoring (CSM) to monitor your information assets to meet a variety of needs in your organization. We discuss what CSM is, how to do it, and the most applicable use cases we have seen in the real world. We end with a step-by-step list of things to do for each use case to make sure your heads don’t explode trying to move forward with a monitoring initiative. We are indebted to all our licensees for supporting our research and broadening our reach, including Qualys, Tenable Network Security, and Tripwire. We don’t expect you to rebalance security spending between protection and detection overnight, but by systematically moving forward with security monitoring and implementing additional use cases over time, you can balance the scales and give yourself a fighting chance to figure out you have been owned – before it’s too late. Check out the landing page in our Research Library or download the paper directly: Continuous Security Monitoring (PDF) Share:

A few years ago our very own James Arlen presented at Black Hat on the security risks of high-speed trading. Today I read in The Verge: Last week’s Federal Reserve announcement made big waves on Wall Street, sending markets skyrocketing and financial organizations scrambling to spread the news – but a new report raises concerns that some were spreading it faster than they should have. The high-speed trading experts at Nanex say they saw simultaneous reactions in both Washington D.C. and Chicago, when the news should have taken at least three milliseconds to travel the 600 miles from the Federal Reserve Building to the Chicago’s commodities exchanges. I await Gunnar’s response, but it seems to me that ordinary people have little chance of surviving the markets as computers take over ‘our’ economy. Share:

Brian Krebs has done some amazing investigative reporting over the years, but this story is an absolute bombshell. An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity. … The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called “nbc.exe” was placed on the servers as far back as April 10, 2013, … Two other compromised systems were located inside the networks of Dun & Bradstreet, … The fifth server compromised as part of this botnet was located at Internet addresses assigned to Kroll Background America, Inc., a company that provides background, drug, and health screening for employers. In my research for the Involuntary Case Studies in Data Breaches presentation I update every few years, I come across many dozens of breaches of credit check services, data brokers, and other information-gathering services. Go check it out yourself at the DataLossDB and search on Experian, LexisNexis, and so on. What I didn’t know is how many institutions rely on this data for Knowledge Based Authentication, and that it has been broken since at least 2010, according to Avivah Litan of Gartner (who is great – rely enjoyed working with her). I am fascinated because although I always considered this data aggregation a privacy risk – now we see it also as a security risk. Share:

Mailbox is a very popular replacement mail app for iOS that apparently auto-executes JavaScript in incoming emails, according to a post by Italian security researcher Michele Spanuolo (@MikiSpag) Jeremiah Grossman summarized it best: “XSS to account takeover.” Think about it – this app auto-executes any JavaScript received via email. Oops. I emphasize that this is not Apple’s Mail app included with iOS – it is a third-party app called Mailbox in Apple’s Apple App Store. Initially, I thought, hey, they’ll fix it soon – they just got a public report on it from Spaguolo’s blog. But Michele has updated the post – @bp_ posted this issue on Twitter in MAY. So they have been sitting on a big hole for months. This is interesting for two reasons: Apple’s App Store code analysis clearly missed it. Then again, should it have even caught it? The vulnerability doesn’t expose anything on the iOS device itself, and doesn’t violate any of the App Store rules. It also demonstrates that walled gardens, while ‘safer’, aren’t actually ‘safe’. There are entire classes of attacks that likely comply with App Store rules. Like Candy Crush, which is ruining marriages and destroying grades throughout the world. Someone needs to stop the insanity. Enterprises should make damn sure employees aren’t using these services without security vetting. Mailbox is only the start – just look at the many calendar enhancement apps out there. All these little startups use full access to your calendar, mail, contacts, reminders, and social networks to provide a more usable calendar. And almost none of them talk about security in any meaningful way. Rich has been doing some analysis here – they all fail. Mailbox is now owned by Dropbox (confirmed by the Dropbox copyright on the bottom-left of mailboxapp.com). So either Dropbox didn’t do much appsec due diligence when they bought Mailbox, or they found and ignored it, and now they are on the hook and in the spotlight. A spokesperson for Mailbox said the patch for the auto-execution vulnerability is inbound by end of Wednesday (today), according to that article. It is interesting to see how software vendors react to such disclosure, but to me the more interesting aspect is the insight into what Apple’s App Store vetting misses… Share:

Every so often my mind wanders and I flash back to scenes from classic movies. When I remember Animal House, I can’t help but spend perhaps 15 minutes thinking about all the great scenes in that movie. I don’t even know where to begin, but one scene that still cracks me up after all these years is: Boon: Jesus. What’s going on? Hoover: They confiscated everything, even the stuff we didn’t steal. Bluto: They took the bar! The whole f****** bar! [Otter grabs a bottle of whiskey and throws it to Bluto, who chugs it all.] Bluto: Thanks. I needed that. Hoover: Christ. This is ridiculous. What are we going to do? Otter & Boon: Road trip. ROAD TRIP! Just the mere mention of those words makes me smile. Like most folks, I have great memories of the road trips I took in high school, college, as a recent graduate, and even now when my ATL buddies and I make a pilgrimage to go see a SEC football game every year. There isn’t much better than hopping in the car with a few buddies and heading to a different location, equipped with a credit card to buy decent drinks. Though this past weekend I had a different kind of road trip. I took The Boy to go see the NY Giants play in Charlotte. After a crazy Saturday, we drove the 3.5 hours and even had dinner at Taco Bell on the way. He loves the Doritos shell tacos and since it was Boys weekend, we could suspend the rules of good eating for a day. We stayed at a nice Westin in downtown Charlotte and could see the stadium from our room. He was blown away by the hotel and the view of the stadium at night. It was great to see the experience through his eyes – to me a hotel is a hotel is a hotel. We slept in Sunday morning, and when I asked him to shower before breakfast, he sent a zinger my way. “But Dad, I thought on Boys weekend we don’t have to shower.” Normally I would agree to suspend hygiene, but I had to sit next to him all day, so into the shower he went. We hit the breakfast buffet and saw a bunch of like-minded transplanted New Yorkers in full gear to see the Giants play. He got a new Giants hat on the walk to the stadium and we got there nice and early to see the team warm-ups and enjoy club level. Of course, the game totally sucked. The G-men got taken to the woodshed. Normally I’d be fit to be tied – that was a significant investment in the hotel and tickets. But then I looked over and saw the Boy was still smiling and seemined happy to be there. He didn’t get pissed until the 4th quarter, after another inept Giants offensive series. He threw down the game program, but within a second he was happy again. I kept asking if he wanted to stay, and he didn’t want to go. We were there until the bitter end. After the long trip home, as he was getting ready for bed, we got to do a little post-mortem on the trip. He told me he had a great time. Even better, he suggested we take road trips more often – like every weekend. Even though I didn’t have one drink and the Giants totally sucked, it was the best road trip I’ve ever taken. By far. –Mike Photo credit: “Smoke Hole Rd, WV” originally uploaded by David Clow Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Firewall Management Essentials Quick Wins Managing Access Risk Optimizing Rules Change Management Introduction Continuous Security Monitoring Migrating to CSM The Compliance Use Case The Change Control Use Case The Attack Use Case Classification Defining CSM Why. Continuous. Security. Monitoring? Newly Published Papers Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Defending Cloud Data with Infrastructure Encryption Incite 4 U Security According to Security Moses: Evidently Security Moses has descended from Mt. Sinai with the tablets of CISO success: the 10 Golden Rules of the Outstanding CISO by Michael Boelen. Most of this stuff is obvious, but it’s a good reminder that your integrity is important and to focus on the fundamentals. I had a chat with a large enterprise yesterday about that very topic. Don’t forget to be the “master of communication” and not to panic. Although it is easy to panic when the house seems to be burning down. Don’t oversell what you can do, and remember that process beats technology. Again, not brain surgery here, but under duress it’s always good to go back and consult the stone tablets. – MR Emphatic Maybe: A simple statement like “We don’t have backdoors in our products” would address the issue. The problem is that every vendor who has released a statement regarding the NSA compromising their platforms has issued a qualified answer. This time it’s RSA, with “We don’t enable backdoors in our crypto products.” Which means exactly what? You have someone else do it? The NSA dropped the code into your product, so you didn’t have to? Was the RNG subsystem weakened to achieve the same result? Those are all accusations being thrown about, and the released statement does not definitively address them. The recommendation to stop using BSafe’s Dual Elliptic Curve Deterministic Random Bit Generator was a step in the right direction. Still, the ambiguity, which looks intentional, is fueling the fire of what has now become the biggest security story of the year. And it is reducing trust in data security vendors. In fact, it’s generating renewed interest in security

As we put a little bow on our Firewall Management Essentials series, it’s time to focus on getting quick value from your investment. We are big fans of a Quick Wins approach, because far too many technologies sputter as deployment lags and value commensurate with the investment is never seen. The quick wins approach focuses on building momentum early in the deployment by balancing what can be done right now against longer-term goals for a technology investment. If a project team doesn’t prove value early and often, that typically dooms the implementation to failure. For firewall management, the lowest hanging fruit is optimization of existing rule sets before implementing a strong change management process. But let’s not put the cart before the horse – first you need to deploy the tool and integrate it with other enterprise systems. Deployment and Integration The good news for firewall management is that one central server can handle quite a few firewalls – especially because the optimization and change management processes happen on a periodic, rather than continuous or real-time, basis. It’s not like management devices need to be inline and monitoring continuously, so the deployment architecture won’t make or break the implementation. Typically you deploy the firewall management server in a central location, and have it discover all the firewalls in your environment. You might kickstart the effort by feeding the list of existing firewalls into the management system. Do you want one central system, or a distributed environment? That depends on the scale of your environment and how quickly you need to be notified of changes. The longer the interval before rechecking each device’s configuration, the longer the window before you detect an unauthorized change. So you need to balance resource consumption against frequent checks to narrow the exploitation window between exploitation and detection. The deployment architecture depends more on the frequency of monitoring for configuration changes than on anything else. The change process (workflow) can run off the central server. And the math to optimize a rule set doesn’t consume resources on a firewall. We have seen large firewall environments (think service providers) managed by a handful of firewall management devices – multiple devices installed for availability and redundancy, rather than for performance reasons. For integration, as described earlier in this series, you will want to pull or push information from tools like a vulnerability management system, a SIEM/log management tool, and/or a reporting/GRC system. Most of these tools have well-established APIs, and it is reasonable to expect your vendor to already have integrated with the leading tools in these categories. Pulling information into the firewall management tool provides more context to understand what changes pose what risk. The area where you will gain the most value from enterprise integration is the help desk/task management system. Given the operational leverage of automating an effective firewall change management process, you will want to make sure changes are tracked in whatever tool(s) the operations team uses so you don’t have two sources of information, and everything is in sync. The good news is that these operational tools are mature, with mature SDKs for integration. Again, it is reasonable to expect your firewall management vendor to have already integrated with your work management environment. Getting the Quick Win and Showing Value We covered the change management process first in this series, because over time it is where we typically see the most sustainable value accrued. But in a quick wins scenario we need to get something done now. So going through existing firewalls and pinpointing areas of improvement, in terms of both security and performance, can yield the quick win we want. This is the optimization process. The first job is to get value, but that is no good unless you can communicate it. So look to reports to highlight the results of the early optimization efforts. You will want to show things like how many unused rules were eliminated (reducing attack surface), as well as whether any of your old rules conflicted, and how the cleanup improved security. This quick effort (it should take a day or two) can build momentum for the next area of focus: change management. Once the change management process is accepted in the environment and enumerated in the firewall management tool, you can start tracking service levels and response times on changes happening daily. You can also track the number of times changes that would have increased attack surface were flagged (and stopped) before going operational, to show how the tool reduces risk and increases the accuracy of firewall changes. This highlights the benefits of a firewall management tools to reduce the risk of a faulty rule change and adding attack surface. A what-if analysis of potential changes can ensure that nothing will break (or crush performance) before actually making a change. You can also demonstrate value by migrating rules from one firewall to another. If you need to support a heterogeneous environment, or are currently moving to a NGFW-based architecture, these tools can provide value by suggesting rule sets based on existing policies and optimizing them for the new platform. If you are a glutton for punishment you can migrate one device without using the tool (busting out your old spreadsheets), and then use the firewall management tool for the next migration for a real comparison. Or you can use an anecdote (we saved XX days by using the tool) to communicate the value of the firewall management tool. Either way, substantiate the value of the tool to your operational process. Finally, at some point after deploying the tool, you will have an assessment or audit. You can then both leverage and quantify the value of the firewall management tool, in terms of saving time and increasing the accuracy of audit documentation. Depending on the regulation, the tool is likely to include a pre-built report which requires minimal customization the first time you go through the audit, in order to generate documentation and substantiate your firewall controls. You have now learned a bit about how to manage your firewalls in a

If you are thinking about skipping this post because you are not a developer, or think APIs are irrelevant to you, stop! You are missing the point of an important trend in both security and development. Today we launch our research paper on API gateways. It includes a ton of information about what these gateways are, how they work, and how best to take advantage of them. Additionally, we describe this industry trend and how it bakes security into the services. Even non-developers will be seeing these and working with one in the near future. On a more personal note, I need to say that this was one of the more fun projects I have worked on recently. The best research projects are the ones where you learn a lot. A full third of the content in this paper either was previously unknown to me, or I had not connected the dots to fully realize the picture they create, before Gunnar Peterson and I started the project. And for you jaded security and IT practitioners who have seen it all, I am willing to bet there is a lot going on here you were not aware of either. Going into the project I did not understand a few key things, such as: That lumbering health care company exposed back-office services to the public. Via the Internet? They can’t get out of their own way on simple IT projects, so how did they do that? I understand what OAuth is, but why is it so popular? It doesn’t make sense! How did that old school brick and mortar shop deliver Android and iOS apps? They don’t develop software! Someone is making money with apps? Bull$!^&: That’s ‘labor of love’ stuff. Show me how, or I don’t buy it! The word ‘enablement’ is one of those optimistic, feel-good words product vendors love. I stopped using it when I started working at Securosis because we hear a poop-storm of bloated, inappropriate, and self-congratulatory terms without any relevance to reality. When I am feeling generous I call it ‘market-leading’ optimism. So when Gunnar wanted the word ‘enablement’ in the title of the paper I let out a stream of curse words. “Are you crazy? That has got to be the dumbest idea I’ve ever heard. Security tech does not enable. Worse, we’ll lose credibility because it will sound like a vendor paper!” But by the end of the project I had caved. Sure enough, Gunnar was right. Not purely from a technical perspective, but also operationally. Security, application development, and infrastructure have evolved with a certain degree of isolation, which enables companies to provide external services while satisfying compliance requirements, often despite lacking in-house development skills. Anyway, this has been one of the more interesting research projects I have worked on. Gunnar and I worked hard to capture the essence of this trend, so I hope you find it as educational as I did. We would like to heartily thank Intel for licensing this content- they have an API Management solution and you can download the report from Intel’s API Gateway resource center that has tutorials and other related technical papers. We’ll have an upcoming webcast with Intel so I encourage you to register with them if you want more details. You can also download a free copy from our library : API Gateway research. Share: