Spliced feed for Security Bloggers Network

Blogging Blackhat, Day Two [Digital Bond]

Posted: 08 Aug 2008 02:00 AM CDT

The second and final day of Blackhat has come and gone. Some good presentations today, and probably more interesting to the critical/control system area of security. The activity at Defcon is already starting to pickup, and lots of parties going on tonight from the major and minor players and generally a lot of winding down for the presenters.

I started the day with a great presentation from Felix Lindner on forensics in Cisco IOS. Essentially examining full memory dumps, and some of the configuration and debugging techniques available on IOS. This is something that I think we could see applied to PLCs, assuming the PLC has some sort of rudimentary debugging interface it could be trivial to checksum the RAM/ROM and detect changes, both intentional and unintentional. Also interesting pickup from the presentation is that there are estimated to be somewhere in the neighborhood of 100,000 different IOS builds out in the wild and approx 15,000 of which are currently supported by Cisco.

Next up was Billy Hoffman's presentation of JavaScript techniques for circumventing automated analysis tools. This presentation was near and dear to me and some of my previous research was creating an analysis tool called Caffeine Monkey that was mentioned quite a bit in the presentation. Hoffman does good work and makes me more and more paranoid every time I use a web browser. JavaScript is among the most common attack tools used today, Flash is on its way and I bet we see attackers leveraging the additional functionality there soon.

Travis Goodspeed has done some interesting work on dumping and reprogramming the firmware on the MSP430 microcontroller. Fascinating research, but honestly I didn’t have enough of an electrical engineering background to completely understand it, lots of waveforms.

The SCADA fuzzing presentation was interesting. There was a lot of buzz leading up to the talk and rumors floating around about vendor lawyers and court orders, but in the end the presentation was given. Essentially Sergey Bratus of Dartmouth College, working with TCIP was able to cause a lot of damage to some real SCADA systems. With no real knowledge of the proprietary protocols Sergey was able to use some compression techniques along with some evolutionary fuzzing to completely crash the system. No details of exploits and such were given, and the presenters were careful not to give any real details about the vendors affected. There is quite a mess of protocols floating around these critical systems and anyone who’s looked at them knows that they aren’t exactly the cleanest/clearest, and the only solution to that is open and peer reviewed standards. A lot of side talk after the presentation about asset owners pushing vendors, and government intiatives/requirements.

Lastly, there was a big announcement from Microsoft. I was unable to attend as I was in the SCADA talk above, but it appears that they’re going to begin sharing information with customers and partners on a more official basis. From the Q&A that I caught the last bit of there seemed to be hints of MS working with 3rd party software developers to fix vulnerabilities in their software running on the Windows platform. Few details were given, and they were clear that they wouldn’t be acting as a CERT, but clearly they’re preparing to be more involved with the process. I have to think that they’re going to be most interested in Enterprise software, but without a doubt there will be some interested in critical systems as well. It will be interesting to see how the program shapes up over the coming months.

Thats all for now, the chaos of Defcon really gets going tommorrow, should be some interesting stuff, and one very interesting on involving cell phones.

Twitter Updates for 2008-08-07 [.:Computer Defense:.]

Posted: 07 Aug 2008 10:59 PM CDT

Booze is next to the nCircle booth. Nice! #
Trying to figure out where to go... Suggestions #

Black Hat: The Risks Of Trusting Content [securosis.com]

Posted: 07 Aug 2008 06:03 PM CDT

I’m sitting in the Extreme Client-side exploitation talk here at Black Hat and it’s highlighting a major website design risk that takes on even more significance in mashups and other web 2.0-style content.

Nate McFeters (of ZDNet fame), Rob Carter, and John Heasman are slicing through the same origin policy and other browser protections in some interesting ways. At the top of the list is the GIFAR- a combination of an image file and a Java applet. Since image files include their header information (the part that helps your system know how to render it) and JAR (java applets) include their header information at the bottom. This means that when the file is loaded, it will look like an image (because it is), but as it’s rendered at the end it will run as an applet. Thus you think you’re looking at a pretty picture, since you are, but you’re also running an application.

So how does this work for an attack? If I build a GIFAR and upload it to a site that hosts photos, like Picassa, when that GIFAR loads and the application part starts running it can execute actions in the context of Picassa. That applet then gains access to any of your credentials or other behaviors that run on that site. Heck, forget photo sites, how about anything that let’s you upload your picture as part of your profile? Then you can post in a forum and anyone reading it will run that applet (I made that one up, it wasn’t part of the presentation, but I think it should work). This doesn’t just affect GIF files- all sorts of images and other content can be manipulated in this way.

This highlights a cardinal risk of accepting user content- it’s like a box of chocolates; you never know what you’re gonna get. You are now serving content to your users that could abuse them, making you not only responsible, but which could directly break your security model. Things may execute in the context of your site, enabling cross site request forgery or other trust boundary violations.

How do manage this? According to Nate you can always choose to build in your own domain boundaries- serve content from one domain, and keep the sensitive user account information in another. Objects can still be embedded, but they won’t run in a context that allows them to access other site credentials. Definitely a tough design issue. I also think that, in the long term, some of the browser session virtualization and ADMP concepts we’ve previously discussed here are a god mitigation.

The Four Horsemen of CLeopatra's Barge [Jeff Jones Security Blog]

Posted: 07 Aug 2008 03:36 PM CDT

One of the more interesting session I went to yesterday was a talk by Chris Hoff called "The Four Horsemen of the Virtualization Apocalypse." (If you've never read Hoff's blog, you should check it out at http://rationalsecurity.typepad.com/.)

I thought I was keeping a close eye on security and virtualization issues, but this talk illustrated how wide and varied the topic really is. This was not about Blue Pill and it wasn't about having security monitors in the hypervisor - instead he focused on how virtualizing physical devices (e.g. switches, systems) will cause lots of problems for security architects and administrators.

Briefly, here are the four horsemen:

Conquest - Translating your physical capacity planning implementation to virtual devices probably won't work.
Death - Virtualized networks lack several physical attributes assumed by security applications and high-availability devices today - you'll probably have to re-architect it all to get the same functionality, which might not even be possible in your new virtual world
War - Adding security VAs takes away precious resources that could have been used to dynamically add VMs. It is a war of resources.
Famine - With all of the redesigning and accommodation happening, security costs are going to eat into any savings you make on server consolidation.

Now, if you want to read the much more thorough version, see Hoff's original post here.

Okay, how does this all relate to the title of my post? Not much. However, much later on day one, things really started rolling.

After being crowded out of the Shadow Bar, a bunch of us ended up over at Casa Fuente (A cigar bar in Caesars forum). Five minutes after arriving, someone spilled a drink in my lap, big fun! It turns out that it was Stepto's birthday, and Hoff makes sure everyone has a drink and we all sing happy birthday to Stepto. Check out part of it, courtesy of Jack Daniel:

Immediately after the toast, Jennifer Jabbusch knocks over a table, falls to the floor and begins having a seizure. Stepto rushes over, trying to help, and just about that time, she flips over and starts laughing - total fakeout! Everybody bursts out laughing.

Shortly after that, they closed for the night and kicked us out and we all headed over to Cleopatra's Barge. There weren't enough seats or tables for us, but I noticed that the "reserved" barge seating was empty. Drawing upon a clever technique (i.e. sometimes called "asking") I social engineered a waitress into letting us have the reserved area. Within mere minutes, several security geeks are on the dance floor, doing us proud.

hoff-cleopatra2

This leads me to the Four Horsemen of Cleopatra's Barge. (Though I was out there too, I am excluding myself since simply because I can.)

JJ, for leadership
Hoff, who owned the dance floor.
Ryan Naraine, for getting low, low, low
David, for letting his hair down.

Though our collective dancing does not signal the end of the world, it certainly capped an excellent day

Elements of Style [ImperViews]

Posted: 07 Aug 2008 02:57 PM CDT

I am a non-native English speaker. Usually I can get along just fine with small talk and volubility chats, but when it comes to grammar I have to sweat before a decent paragraph can be posted or sent.

My biggest challenge is the comma. This small punctuation mark makes my life difficult as I have a tendency to use it very often and probably more than I should. As a service to all the others that might be facing a similar challenge, I would like to recommend a book that was given to me not too long ago and helped me to overcome my comma challenges.

The book "Elements of site" (an online version is available) was written almost 100 years ago yet it provides invaluable guidance how to use English properly. The elementary rules of usage section includes the most common comma usage rules including:

In a series of three or more terms with a single conjunction, use a comma after each term except the last.
Enclose parenthetic expressions between commas.
Place a comma before a conjunction introducing an independent clause.
Do not join independent clauses by a comma.

(click to see a larger image)

Insurers Mining Consumer Data [securosis.com]

Posted: 07 Aug 2008 12:30 PM CDT

I saw this article in the Arizona Republic Monday about how the insurance companies are able to save money by gathering health care records electronically, make more accurate analyses of patients (also saving money) and be able to adjust premiums (i.e., make more money) based upon your poor health or various other things. You know, like ‘pre-existing’ conditions, or whatever concept they choose to make up.

Does anyone think that they will be offered an option? The choice of not providing these electronically? Not a chance. This will be the insurer’s policy, and you can choose to not have insurance, or turn over your records.

Does this violate HIPPA? To me it does, but since you are given the illusion of choice, their legal team will surely protect them with your ‘agreement’ to turn over these electronic documents. And why not, with all the money they saved through data analysis, they have plenty of money for their legal expenses.

Does anyone think that the patient will be allowed to see this data, verify accuracy, or have it deleted after the analysis? Not a chance. Your medical data will most likely have a “half life” longer than your life span. That stuff is not going anywhere, unless it is leaked of course. But then you will be provided a nice letter in the mail about how your data may or may not have been stolen and how you can have free credit monitoring services if you sign this paper saying you won’t sue. It’s like watching a car wreck in slow motion. Or a Dilbert comic strip.

Let me take another angle on the data accuracy side of this proposition. When I first graduated college, I walked down the street to open a checking account with one of the big household names in banking. For the next 12 months I received a statement each month, and not one of those banking statements was 100% correct. Every single statement had an error or an omission! My trials and angst with a certain cell phone provider are also well documented. Once again, charges for things I did not order, rates that were not part of the plan, leaked personal data, and many, many other things during the first year. I had one credit card for a period of 12 years, and like clockwork, a late fee was charged every 6-9 months despite postmarks and deposit dates which conclusively showed I was on time. I finally got tired of having to call in to dispute it, and just plain fed up with what I assumed was a dastardly business practice to generate additional revenue from people too lazy to look at their bills or pick up the phone and complain. I had a utility company charge me $900, for a single month, on a vacant home I had moved out of three months prior. One out of two grocery store receipts I receive is incorrect in that one or more prices are wrong or one of the items scans as something that it is not. Other companies who saved my credit card information, without my permission, tried to bill me for things I did not want nor purchase. Electronic records typically have errors, they are not always caught, and there may or may not be a method to address the problem.

The studies I have seen on measuring the accuracy of data contained within these types of databases is appalling. If memory serves, over 20% of the data contained in these databases is inaccurate due to entry or transcription errors, is incorrect logic errors in transformational algorithms, or has become inaccurate with the passage of time. That later item means each subsequent year, the accuracy degrades further. There is no evidence that Ingenix will have any higher accuracy rates, or will not be subject to the same issues as other providers, such as Choicepoint. They say computers don’t lie, but they are flush with bogus data.

Now think about how inaccurate information is going to affect you, the medical advice you receive, and the cost of paying for treatment! There is a strong possibility you could be turned down for insurance, or pay twice as much for insurance, simply because of data errors. And most likely, the calculation itself will not be disclosed, for “Pharmacy Risk Score” or any other actuarial calculation. If this system does not have a built-in method for periodically certifying accuracy and removing old information, it is a failure from the start. I know this is a recurring theme for me, but if companies are going to use my personal information for their financial gain, I want to have some control over that information. Insurance companies will derive value from electronic data sharing because it makes their jobs easier, but the consumer will not see any value from this.

-Adrian

My excellent adventure at Black Hat [StillSecure, After All These Years]

Posted: 07 Aug 2008 11:52 AM CDT

Yesterday was a great day at Black Hat. I would tell you all about it, but it seems Mitchell thinks that it best that we don't talk about what goes on here at Black Hat. Now, far be it from me to break "Cardinal Rules" (has anyone ever really thought about what exactly is a "cardinal rule"? Why not a Blue Jay or Falcon rule?) but if we can't talk about it, what good is it. I think Mitchell is confusing divulging the really juicy Vegas stuff, from just the mundane. So let me tell you about my excellent adventure yesterday at Black Hat.

I was one of the multitude standing in the back listening to Dan's DNS report. You probably have already heard that it is bigger and worse than originally reported. I than spent a lot of time with the Microsoft people talking to them about their security stuff. I will tell you that despite many who rail against Microsoft, these guys actually are doing a great job on security and in dealing with the security community. Much better than a certain company named for a fruit whose marketing people killed the presentation of their own security research team. After lunch I took a front row seat to watch Hoff present on virtual security. He has some very pretty slides, but the message was clear. Great presentation by Hoff. I spent most of the rest of the afternoon catching up with lots of security bloggers here. I am amazed by the number of us here at Black Hat.

Had a quiet dinner with Mitchell (I would tell you about it but you know about what happens in Vegas with Mitchell) and than went to the Breach party at the Shadow Bar (I love that place, but it was too hot last night). We than went over to the Fuente cigar bar and next thing you know we were joined by about 30 of our closest security blogger buddies. It was a great time and their are pictures floating around twitter somewhere of it. We talked and laughed into the late hours, winding up at the Augustus cafe again for an early breakfast.

Well it is back to the show today and another round of parties tonight. Ah, it is tough living the life ;-)

Can We Learn From McAfee's Latest Acquisition? [ImperViews]

Posted: 07 Aug 2008 11:45 AM CDT

If you felt the winds of change last week, it wasn't only SoCal's earthquake aftershock. McAfee, announced that it is "redefining the entire data protection market." In a press release, last week, they announced the acquisition of Reconnex, a network based DLP vendor, that followed an earlier acqusition (2006) of the host based DLP vendor Onigma. Since I was part of another team that was "redefining the market" earlier, I feel that given the time perspective (almost two years) there are few DLP lessons that can be learned from McAfee's acquisitions that apply to the DAM space, especially related to the network vs. host debate.

Ask anyone that attempted to deploy a DLP solution and he'll tell you that the main obstacles are a result of the deployment-related issues: Identifying the starting point, the number of endpoint systems, data discovery, classification and host protection. Database Activity Monitoring and Security solutions are less effected by those factors due to the inherent nature of the DBMS model and business applications that they are protecting (Note to self: a good idea for another post).

Choosing a host based solution for activity monitoring and security, when the bulk of operations are performed over the network, will increase complexity, add burden on the host (increased CPU % and memory footprint) and requires a very complicated policy management model, as McAfee probably found out. Unlike laptops that can be stolen, left behind or simply lost, database servers have a tendency to stay in a known location. Sure, there are some use cases such as separation of duties (SOD) and privileged user monitoring (PUM) that require the monitoring to take place on the database server itself.

Database activity monitoring (especially for auditing purposes and compliance with regulations like PCI) requires inspection of all database activity. Network based solutions (like SecureSphere) uses a network appliance to examine the transactions related to the database, either in inline or sniffing mode (off a TAP or a SPAN port usually). However, this method presupposes that the activity is occurring between the database server and a remote (i.e., non-local) application or user over a database connection.

When the database activity is not available for inspection by the network appliance (e.g. some database activity is performed locally on the database server or via one of the few unsupported encryption methods), something else is needed. In this case SecureSphere uses a light-weight database agent that is installed on the audited database and can examine all relevant communications, eliminating blind spots.

This light-weight database agents captures only relevant database activity and sends traffic to a gateway appliance for analysis and audit using different transport methods. It has negligible performance impact on the mission critical database server and allows to maintain a unified policy model with network activities and therefore reduces the overall administrative burden.

Looking at the past and learning from experience tells us that heavy agents and agent only approaches indeed are limited in DAM as well as in the DLP market. Solutions that rely on host alone will never scale. Sure, there might be a scenario when one will buy into this concept and even will try to implement it, looking into large scale production deployments, it will only be possible with combination of fast, reliable network based solution and lightweight, hassle-free host agents.

Will McAfee redefine the market (again)? only time will tell.

Black Hat 2008 Day 1: We're Screwed! [Security Incite Rants]

Posted: 07 Aug 2008 11:39 AM CDT

Day 1 of Black Hat 2008 is in the books. It's great to see a lot of old friends, and it seems this year (more than the last two) many of the folks I'm talking to are more focused on the networking than on the session. Not me. I'm still fired up about seeing really smart guys discuss what they are up to and give me a lot of food for thought about how we need to continue protecting ourselves.

I ended up hitting almost all the sessions I wanted to, so let me go through some quick observations.

Keynote: Ian Angell, Professor London School of Economics - Professor Angell is a pretty engaging character and I enjoy his systematic skewering of the common knowledge about risk and what we can really control. Which is basically nothing.
Bad Sushi: Nitesh Dhanjani and Billy Rios - As mentioned on Tuesday, I was looking forward to this session and it was a lot of fun. Especially when they pulled the RickRolling prank on the phishers and to see how many of them fell for it was great. Sometimes it's nice to strike back, although it doesn't have much of an impact on how we do things.
Kaminsky's DNS talk: It was packed. I mean PACKED. And Dan delivered the goods. The thing that resonated the most is how dependent we are on DNS for pretty much everything, and if DNS is not trustworthy, we've got a real problem. Lots of innovative ways to comprise stuff assuming the bad guys own DNS and plenty of other goodies. I have some larger thoughts about the DNS topic, which I'll write up for Monday, but the only conclusion you can really draw is that we're screwed. But isn't that what Black Hat is all about? Giving security folks that uneasy feeling of not being able to keep up with all the attacks?
Hoff's Four Horseman: The Hoff delivered the goods as well. First of all, the slides were very pretty. You should check them out. But aside from the aesthetic beauty of the content, Chris really put into question a lot of the assumptions many folks are making about securing the virtualization layer. Rich did a good write-up of Hoff's pitch and other Black Hat topics.
Network Monitoring, Bruce Potter: I hadn't seen Bruce speak before and it was very entertaining. But most interesting was the very compelling case he made for why you need to monitor your networks using something like Netflow. He also talked a bit about a new open source tool called Psyche that his team is releasing and it looks pretty cool. It's nice to see the idea of network monitoring being discussed on the big stage. Of course, there are folks like Bejtlich that have been beating that drum for years. But given all the other stuff we're seeing at the show this week (basically we're screwed), the idea of figuring out everything isn't going to happen. So we need to REACT FASTER and monitoring is the way to do that.

The Mogull and I recorded a quick podcast yesterday as well. We talk about Kaminsky and Hoff's pitches and come the conclusion that basically we're screwed. You can check it out at the Network Security Podcast site.

Before I head off to Day 2, I have to relay my latest Vegas star sighting. To wrap up the night Shimmy, Mitchell, Adrian Lane and I are catching a little late night breakfast at Caesars. Sitting right next to us is Jeff Dye, one of the finalists on this season's Last Comic Standing. You all know what big fans of comedy the Boss and I are, so it was great to see him in person. He's a very nice guy and he really is that pretty. They are announcing the winner of the show tonight, so I told Jeff we'd be pulling for him.

Only in Vegas...

links for 2008-08-07 [delicious.com] [Andrew Hay]

Posted: 07 Aug 2008 08:30 AM CDT

The Times They Are a-Changin’ [Andrew Hay]

Posted: 07 Aug 2008 07:55 AM CDT

soze Bob Dylan was right. The times are changing, especially in the web security war. It turns out that the hacker group behind the Coreflood Trojan have stolen at least 463,582 usernames and passwords while flying under the radar. How did they accomplish this? Instant messaging worm? Emailing malware out, via a botnet, to everyone and their dog? According to SecureWorks Director of Malware Research Joe Stewart, it all started with a drive-by attack:

According to Stewart, it was by not targeting things like instant messaging or e-mail, which get a lot of attention from security vendors. Instead, the hackers relied on drive-by attacks, and would pick a hosting provider and do a mass hack of every single Web page on that particular server. Then they would wait for users—particularly domain administrators with high-level rights.

So basically, the attackers plan is to put an infected website up, let one user access it and get infected, and then wait for the domain administrator to log into that workstation. After the administrator has logged in, and the malware has privileges, it propagates like an update to all other systems on the network.

Also, the group “did not rely on zero-day attacks, just standard exploits that one can get from various underground forums“.

According to Stewart:

“Their trick is not in getting that initial infection—their trick is being patient and waiting for the right person to log into that workstation and then (taking) over that whole network,” he said.

Ah, the old Keyser Soze trick - The greatest trick the devil ever pulled was convincing the world he did not exist. And like that… he is gone.

Twitter Updates for 2008-08-06 [.:Computer Defense:.]

Posted: 06 Aug 2008 10:59 PM CDT

Just boarded the plane. Vegas bound! #
Landed in Vegas. Just pulling up to caesar's #
We're having food at Denny's if anyone wants to come #
A solid 3 hours sleep. Being on blackhat #
At the nCircle booth. If you come by find me and ask me about the dog tags #

The History and Future of LDAP [The IT Security Guy]

Posted: 06 Aug 2008 07:21 PM CDT

Here's a piece I wrote that came out Monday on SearchSecurity's Network Security newsletter about the LDAP, both its future and its history.

links for 2008-08-06 [delicious.com] [Andrew Hay]

Posted: 06 Aug 2008 06:01 PM CDT

DNS cache poisoning, first attacks [Hackers Center Blogs]

Posted: 06 Aug 2008 06:00 PM CDT

From this (funny) video, I have found on Kaminsky blog (the guy who gave new life to the old DNS cache poisoning issue) seems that large part of the major ISP's DNS servers have been patched.

After Kaminsky's publication of the vulnerability exploit code gone wild and ported to HD Moore's Metasploit framework just few days late.

Not even 2 weeks after the breakthrough, HD Moore's company web site has been hijacked by spammers poisonoing At&T DNS Server serving his compa [...]

Banking by Phone for the Poor - Will Security be an Afterthought? [Andrew Hay]

Posted: 06 Aug 2008 01:47 PM CDT

stupid This October, in India and Bangladesh, there is a planned roll out of a technology that will enable anyone to transfer money between bank accounts, credit cards and phones via text messages from a cellular (mobile) phone. Using Obopay, you can sign up for an account, and start moving your money around like its nobody’s business.

From the article:

Grameen Solutions, an affiliate of Nobel Prize winner Muhammad Yunus’ Grameen Bank, this week teamed with Obopay Inc., a for-profit mobile payment company based in California, to bring banking to a billion poor people using cellphones.

"Today, it’s difficult to reach these people," Obopay India Executive Director Aditya Menon said at a news conference in India’s financial capital, Mumbai. "If you solve that problem, you are enabling them to enter the economy."

The question is, however, will security be an afterthought or will it be a primary focus of this offering? Enabling the access to, and money transfer between, accounts from a mobile platform will require rigorous security safeguards. Surely Obopay has thought of this right? Well, the Obopay website states that it indeed secure as you are required to specify a PIN number upon the creation of your account. This PIN is used any time you send money so “even if you lose your phone your money is safe”….safe?….SAFE?

Why isn’t multi factor authentication a requirement? How easy would it be for someone to pick up your cell phone and empty out your bank account if they knew your super-secret PIN number? How easy would it be for someone to beat your PIN number out of you?

These are all questions that I would have expected to be addressed during the design and implementation of this new technology integration. Alas, it appears that this is not so. Why is that again?

agribusiness

Friday, August 8, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

No comments:

Blog Archive

About Me