Tuesday, August 12, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Visa deploys EV SSL [Tim Callan's SSL Blog]

Posted: 12 Aug 2008 07:26 AM CDT

Sorry for the gap in blogging. We got a blogging software upgrade and it's been two solid weeks of technical problems. I've been traveling a lot, and in the few moments I did have to blog the console was unavailable.

I have lots of things to tell you, but let's make it an easy one this morning. Credit card giant Visa has added EV SSL to its site.

The Daily Incite - August 12, 2008 [Security Incite Rants]

Posted: 12 Aug 2008 06:52 AM CDT

Today's Daily Incite

August 12, 2008 - Volume 3, #68

Good Morning:
I forgot how cool the Olympics are.  I can hardly remember what I had for breakfast, the odds of remembering anything that happened 4 years ago is remote. On Sunday night, I remembered. Athletes from around the world, competing mostly for national pride. Not entirely, but mostly. I'll admit to getting caught up in the drama, the background stories, and ultimately the sacrifice that these athletes make for years at a time to chase one shining moment.
Take that Frenchies!
And if they screw it up, it's gone. Likely to never come around again. It's the ultimate drama.

By now, most (if not all) of you should have heard about the American 4x100 freestyle relay team. What a race! The Boss and I were literally screaming at the TV at midnight. Yes, we woke up the kids. And yes, we paid dearly for the hour after the race was over. The last time I got that fired up watching sports was the Super Bowl, and before that I can't even remember.

We were also totally engaged in the women's gymnastics preliminaries. Although "women's" is probably a misnomer. It seemed a bunch of those competing were girls. Little girls at that. But those girls can flip, turn, tumble, and vault like nobodies business. They are fearless and focused.

To me, the best part is to see the athletes dig deeper than they thought they could. They routinely do things no one thinks is possible - even themselves. They push through the limits and show the world what they are made of. I tip my hat to all the Olympians. Whether they take Gold or just show up and compete. It's a tremendous accomplishment.

The best seat in the house is usually right in front of my big ass HDTV. But I'm thinking the Olympics is something you should attend at least once, if the opportunity presents and fortune smiles upon you. By the 2012 Summer Games in London, the kids may be old enough to appreciate it. Hmmmm. I better start saving now.

Have a great day. 

Photo: "YEAH, USA!!!" originally uploaded by mbtrama

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Get Your Special Report:
6 Easy Steps to Protect Your Identity
get access to Security Mike's Portal today


Security Mike's Guide to Internet Security

Top Security News

What kind of parachute fits on a pwnie?
So what? - Have you ever seen a flying pwnie? You will. With Delta offering WiFi in the sky, there is no doubt some enterprising "researcher" will bust out xStumbler and WireShark to see what he/she can find. How would anyone actually catch them? A little spoofing action and they are in the clear. And it's not like the Air Marshals are going to be much help. Do you think Delta is going to give up a revenue seat for a security pro? Yeah, right. I know WiFi in the sky is probably good for their revenue, but it's bad for unsuspecting customers, who couldn't defend themselves from a grade school crook. So basically they are sending a bunch of lambs to potential slaughter. I guess the best news is that a bad guy can only compromise 200 or so people at a time. Though flying on the A380 could yield a fiesta. Let's just say I'll remain happy to do some unconnected writing on my flights. Even if I do have WiFi.
Link to this

Countrywide...You are the weakest link.
So what? - So now it seems the Countrywide data breach could/should have been averted because they had a policy (and even some software) to shut down the USB ports. Except on the machine the nefarious insider used to pilfer the data. And there you have it. The weakest link is always the one that gets nailed. Moreover, the policy isn't worth the paper it's written on, if it's not enforced. Seriously. Countrywide gets an A for preventative controls. But they get an F for implementation. As my friend told me when I was trying to sell my house, "it only takes one." I guess Countrywide gets that now too.
Link to this

Yes, monitor your web apps too
So what? - I thought this new capability on Imperva's web application firewall to monitor the malicious inputs (amongst other things) and help provide actionable reports to developers as fascinating. You all know I'm a big fan of monitoring, and all other things being equal, I'll choose to monitor not just the network - but the servers, databases, and apps as well. As helpful as the monitoring info is to REACT FASTER, it would be great if you didn't actually have to react every time. So you could get attacked, find the issues in the application and then fix them. Of course, it's the "fix" part that is the most challenging because us security folk don't control that. So it still gets back to building and nurturing a good relationship with the development team and continue to evangelize why it's a good thing to eliminate issues before deployment, and this is just more data to make the point.
Link to this

The Laundry List

  1. JNPR plays into the eventual integration of network and security management by offering an integrated management console for the switches and the (former) NetScreens. - Juniper release
  2. MSFT introduces the "exploitability index" to protect consumers. So, a totally subjective index targeted towards a customer base that doesn't understand what "exploitability" means. Great. - Venturebeat coverage
  3. Guidance blows the quarter, stock get hammered and now it's time to change to a subscription model. It's hard to get off the perpetual license crack when the Street expects new growth. - Guidance earnings release
  4. Justice is served. You mean, the TJX hackers are brought to justice? Nah, now I'm forced to go buy some decent clothes, since I'm still boycotting TJX. - NetworkWorld coverage

Top Blog Postings

Too much GRC? It's more about tactical vs. strategic
Normally I wouldn't point to a vendor byline generally making the case for a GRC thingy. But Gordon Burnes of OpenPages makes a couple of good points in this article on the IT-Finance Connection blog. Basically his point is that "For each new regulation or risk discipline, organizations typically implement a new technology point-solution aimed at the specific mandate." Clearly there are problems with this approach. First you get no leverage. I know sometimes there are different operating groups that are responsible for different aspects of managing risk and ensuring compliance, but if there is no SINGLE coordinating point, what's the purpose. Remember that old story about the weakest link? Right, you have no idea what is weak or strong if you don't have a single view of the risk environment. The same can (and should) be applied to security (as if you can separate security from risk) in taking a SINGLE and holistic (hopefully not delusion) view of the security environment. That's why I push for the CISO to be focused on managing the program, as opposed to implementing and operating the controls. If he/she is too busy fighting fires, they miss the forest for the trees, and sooner or later they have to bring those fire department planes in to control the forest fire.
Link to this

A bug is a bug is a bug is a bug
Fortify's Roger Thornton rants a bit about this recent debate about open source security. I guess we just can't quite remember that every piece of software has bugs, and those bugs sometimes result in security issues. Roger's point is that open source is no panacea and is still going to have bugs. Yet, many in the open source community view these realities as personal affronts and strike back with venom and rage. Get over it. I agree with Roger that security issues are issues just like performance and functional issues. Especially if the application provides access to private data and/or intellectual property. But it's not sexy to focus on security issues and we security folk have to keep evangelizing the need to make the software better (over time) and focus on eliminating the defects sooner and better. And that goes for open source, commercial grade or home grown stuff. The attackers don't make a distinction and neither should you. 
Link to this

Only the rear view mirror knows your potential
I'm going to wrap today with an off-topic post. One of the things that frustrates me most about some folks I know is they are pre-occupied with what everyone else thinks of them. Other peoples perception drives what they do and how they feel about themselves. I work very hard to not give a crap. I do what I think is best for ME and my family and if someone else doesn't like it... Oh well. This post on Penelope Trunk's blog really sums up the entire discussion. Her main contention is that our only purpose in life is to be kind, and she's right. I spent a long long time not being kind, rather chasing some arbitrary dollar figure and stepping on lots of folks in the process. I was grumpy and I felt like a failure because I didn't have a plane (don't laugh, it's true). Then I stopped worrying about it. I started worrying more about having fun than making money. I figured it would work out in the end, so I just did things that seemed right, as opposed to what was the consensus view of how to do things. And I will continue to do that. I suspect people will be constantly scratching their heads at the stuff I do. Just know, you opinion - though interesting - is irrelevant. I'm not worried about what anyone else thinks about my choices. Anyhow, I figure I'm in the win column already, since my kindergarten teacher figured I'd never amount to much of anything. So now I'm playing with the house's money. Just have fun and stop worrying about everyone else. It's a much better way to live.
Link to this

Big Week [BumpInTheWire.com]

Posted: 11 Aug 2008 11:20 PM CDT

We’ve got a big week ahead of us.  We are doing a disaster recovery test on Friday along with the installation of our new Nevis hardware on Thursday.  The hardware we will be installing is a LANenforcer 2024 at each location for redundancy and two LANenforcer 1048 Secure Switches.  Wednesday night we will be updating our LANSight Security Management Appliance to the latest code.  This is a necessary first step in order to manage the two new LE 2024s that will have new code on them than the two appliances we currently have in production.

Throw that on top of the DR test and this week should be quite an adventure.

Defcon [Kees Leune]

Posted: 11 Aug 2008 07:03 PM CDT

Defcon was awesome.

I got to meet a whole lot of people who I wanted to say hello to, a whole bunch of people who I had never heard of but enjoyed hanging out with, and I was unable to hook up with some persons who I had really wanted to see. Oh well, there is always next year!

I'm not going in much detail; if you were there you know what it was like and if you weren't, I don't think I would be able to convey the Con as a whole. This picture capture is fairly well though ;)


Boiling the DNS puddle [Security Incite Rants]

Posted: 11 Aug 2008 04:46 PM CDT

I'm still rather haunted by Dan Kaminsky's DNS presentation from last week's Black Hat conference. As I mentioned in my Day 1 wrap-up, you forget how pretty much everything you do is dependent on having trustworthy DNS. Dan showed that DNS is anything but trustworthy.

So I spent some time trying to figure out how to solve the problem. Sure, a lot of really smart folks spent some time doing the same. And they couldn't really see a tangible answer, so they are pushing towards source port randomization to at least minimize the likelihood that the DNS cache will be poisoned via a Kaminsky attack.

Part of the luxury of not being a real technical guy is that I tend to look at the problem in an unconventional way. I suspect (but don't know this for sure) that many others are trying to solve the entire problem. Which I suspect is akin to boiling the ocean.

After looking at DNSSEC for a little while, clearly that is intangible for a network the scale of the Internet. The idea of digitally signing all of the requests is a good one in theory, but clearly ain't going to get there. And with the zone enumeration issue inherent to early versions of DNSSEC, folks are starting to layer band-aids and duct tape over the issues, in a feeble attempt to try to get the technology to "work."

I really doubt it's going to happen. So what's plan B?

I've also been doing a lot of research into CSRF (cross-site request forgery attacks) and I see some similarities to the Kaminsky DNS issue. Not like twin brothers. More like 3rd cousins. Basically, in both scenarios, it's not clear that you can trust the other side of the transaction, so you need to layer some more "tests" on top of the base transaction to make sure you are receiving traffic from the real McCoy.

One of the techniques to defending against CSRF is to add a token to each transaction, which would be difficult (not impossible, but difficult) to spoof and therefore would sort of validate that the other side of the transaction is legit.

Why couldn't we do this for DNS requests? I know, I know. We'd have to update all the name servers and then propagate the software through the DNS hierarchy. But that's only if we are trying to boil the ocean.

What if we only tried to boil a lake, or even a puddle and started building some of the code into our key applications (or as a proxy for our key applications)? And then we could get our trading partners (who we are doing high value transactions with) to add the same code to their applications. Thus, any traffic I'm sending to IP addresses in their environment are also "tokenized."

If a large enterprise moves in this direction, they likely have enough pull to get their ISP (or multiple ISPs as it may be) to build the code into their name servers. Then it sort of becomes a bottoms-up movement, as opposed to a top-down mandate. Top down doesn't work too well in the age of the Internet.

In terms of caveats, I have no idea if this would even work. I'm literally making this up. Or if Kaminsky would make mince-meat out of this in seconds. Or if many others have tried this and failed already.

I also don't know how complicated it would be to add this proxy layer to tokenize the DNS requests. I don't know if it will scale or if it will solve the problem. Or if the very nature of DNS requires that we boil the ocean, as opposed to the puddle.

Basically, I'm throwing some spaghetti against the wall and I figure the real smart guys out there will take a look, tell me I'm an idiot and then maybe suggest something that would be more tangible/feasible/logical, etc. It's all about fostering the discussion, since after seeing Kaminsky's pitch, sticking our heads in the sand and waiting for divine intervention to fix the problem ain't going to happen.

Photo credit: "lake (or puddle?) of free boiling mud" originally uploaded by magtravels

The Network Security Podcast Pwns Black Hat And DefCon! [securosis.com]

Posted: 11 Aug 2008 03:52 PM CDT

No, we didn’t hack any networks or laptops, but we absolutely dominated when it comes to podcast coverage. This was our second series of microcasts since RSA, and we really like the format. Short, to the point interviews, posted nearly as fast as we can record them.

We have 9 (yes 9) microcasts up so far, with about 2-3 more to go. A few people also promised us phone interviews which we plan on finishing as soon as possible. Here’s the list:

  1. Our pre-show special; where we talk about or plans for coverage and what we’d like to see.
  2. The first morning; our initial impressions before the main start of the show.
  3. Mike Rothman of Security Incite, hot after Chris Hoff’s virtualization presentation.
  4. Tyler Regully of nCircle on web development and the learning curve of researchers.
  5. Jeremiah Grossman from WhiteHat Security on what he’s seen and what he talked about in his session.
  6. Martin turns the tables on Jon Swartz of USA Today and the book, Zero Day Threat.
  7. Martin and I close out Black Hat (don’t worry, there’s still DefCon).
  8. Nate McFeters and Rob Carter talk with us about GIFARs and other client side fun.
  9. Raffal Marty discusses security visualization, which he coincidentally wrote a book on.
  10. I never saw Johnny Long, but Martin managed to snag an interview with him on his new hacker charity work.

Don’t worry, there’s more coming. Stay tuned to netsecpodcast.com for an interview with the slightly-not-sober panel I was on (Hoff, David Mortman, Rsnake, Dave Maynor, and Larry Pesce) and some other surprises.


This posting includes an audio/video/photo media file: Download Now

A Flaw in NoScript Firefox Plugin!!! [An Information Security Place]

Posted: 11 Aug 2008 02:31 PM CDT

There’s not really a flaw (that I know of), so sorry for the theatrics.  Just thought that would be a good draw.  :)

But really, there is a human problem from which NoScript cannot protect you.  What if you have setup a website as trusted through NoScript, then that site gets compromised?  If there is malware in the compromised site, it is possible that your trusted relationship will allow that code to run and infect you.  Yes, there are extra protections built into NoScript to protect against even trusted sites (see screenshots below), but this is still a problem if you have a site in the whitelist and it gets compromised.

This seems obvious now that I see it, but I never thought about it until Alan’s blog got compromised.  My advice would be to whitelist as little as possible and to use the temporary allow feature for everything that doesn’t cause you severe headaches.

NoScript Advance options:





Timing is everything [Branden Williams' Security Convergence Blog]

Posted: 11 Aug 2008 12:42 PM CDT

So you all know (well the three of you that read this... Hi Mom!) that I am headed to Australia this week. I was doing my traditional pre-flight checklists to make sure that I had everything I needed before I started packing. Power converter? Check. Power supplies for devices? Check. Remove things that just add weight that you won't need? Check. Log into my credit card account to make sure we're good? DOH!

My card has been compromised AGAIN! The DAY BEFORE I am headed to Oz.

The new one is on its way (overnight now) but good gracious, talk about skidding across the finish line. Upside down. On fire. In eighteenth place.

This is the only piece that annoys me is the inconvenience. Irrespective of their internal beliefs, companies that come into contact with consumer data should still do whatever they can to protect it, even if consumers are relatively insulated from its effects (such as with credit card theft).

What a difference a word makes. [NP-Incomplete]

Posted: 11 Aug 2008 12:29 PM CDT

I enjoy talking with reporters, and I do so quite frequently. It is part of my responsibilities at Cloudmark. Thankfully, most of the guys I talk to on a regular basis are extremely responsible, detail oriented, and diligent about the facts; a single omitted word can radically alter the meaning of a phrase. Chris Hoff, a very well seasoned speaker and media contact, is now experiencing the repercussions of such an error. By dropping the word "security" from the phrase "Virtualizing security will not save you money, it will cost you more.", a reporter changed Hoff's statement from a negative statement about the security to a negative statement about his employer. As you can imagine, this has caused a massive headache for Hoff and his employer. The only way to fix any misquote in the current media climate is to generate corrective content early and often, as I am doing with this post.

What to Buy, Part Two [securosis.com]

Posted: 11 Aug 2008 10:03 AM CDT

So we took the plunge at the Lane household and bought an iMac. That is the good news. The bad news: it was my wife, and not me, who made the purchase.

My wife’s laptop performed the 25 month post-warranty belly flop while I was at DefCon. A few flickers on the monitor and nothing. A very cold no-boot followed. So off we went to Fry’s today and after an hour browsing she wandered by the Macs. She was looking at the iMac and asked. “Where is the box? Doesn’t this thing have a disk drive?”, to which I replied “The disk and processor are built into the monitor housing, so there is no box”. Her eyes opened a little wider and she stared for another minute or two. That was all it took, and she jumped in with both feet. I warned her there would be a learning curve with the new OS and software, but she was not deterred. I made the statement more for my benefit than for hers, as she is a type ‘A’ personality with a bullet, so patience is not usually a word used in her vicinity.

However there is one consolation prize in this effort, as the phrase “I don’t know” is the correct answer. Let me explain what I mean by that. As many of you may have experienced, when you are the Computer Guy in the house, it is expected that for anything that goes wrong with anything that has electricity, YOU will fix it. You know what is wrong with any piece or hardware or software and exactly how to fix it instantly. Otherwise you get the “You call yourself a CTO”? jokes. Not only that, when you’re married, friends and family get to ask for IT tech support as well. This is one of my major annoyances in life. But when you know next to nothing about a Mac, the stream of questions directed at me always results in “I don’t know, why don’t you look it up?” This brings a wonderful, liberating sense of freedom from responsibility. “Why is Safari doing that?” “How do I ______?” and my personal favorite, “I am taking this &;@%”@%/ of *&@(;( back to the store if this does not, oh, wait, now it works.” And I have been smiling at the fact it is not my problem all day long.

She has let me use the machine for a bit. All in all this is a seriously nice, well engineered and very cool looking piece of hardware. While the approach is different, everything is conceptually easy once you get used to the difference in perspective. She really likes it and I am very much looking forward to buying a MacBook for myself. In the meantime, I am going to fly off to California for the next couple of days until the swearing stops.


Don’t Go There!!!! [BumpInTheWire.com]

Posted: 11 Aug 2008 08:30 AM CDT

Don’t visit StillSecureAfterAllTheseYears.com at work today.  Seems Alan is having a little “trouble” the last couple of days.  Hyperlink left off intentionally.

Surf Jack - HTTPS will not save you [SIPVicious]

Posted: 11 Aug 2008 06:13 AM CDT

Alert: this is not a VoIP security post. Just a repost from EnableSecurity.

I just released a new paper and tool on the subject of web application security.

Check out the blog post (which includes the bonus video everyone loves), and the proof of concept tool itself.

And if you did not do it already, please subscribe to my other site, EnableSecurity's RSS feed.

Surf Jack - HTTPS will not save you [EnableSecurity]

Posted: 11 Aug 2008 02:37 AM CDT

Say hello to a new security tool called “Surf Jack” which demonstrates a security flaw found in many public sites. The proof of concept tool allows testers to steal session cookies on HTTP and HTTPS sites that do not set the Cookie secure flag. I’ve been working with two banks and some of the vulnerable sites to get this fixed before publishing my research. Mike Perry gave a talk at Defcon involving the exact same vulnerability - so there is no point in keeping this from the public.

You can download the tool from here and a paper with more details on the subject.

The following is a video demonstration of how this affects Gmail and how to prevent this from affecting your you.

New SIPVicious release 0.2.4 [SIPVicious]

Posted: 10 Aug 2008 11:41 AM CDT

Just updated the release of SIPVicious to 0.2.4 to include a couple of bug fixes in svwar and a new feature. The new "--template" parameter allows you to make use of format strings to create more flexible ranges. Some examples include scanning prefixes or suffixes.. which apparently can be quite useful with certain environments ;-)

Many thanks to Teodor Georgiev for his patience and help in making SIPVicious more robust and reliable!

Here's a link to the full Changelog.

Grab the tarball or the zip file.
To upgrade to the svn version simply run "svn update" as usual - enjoy

Booting OSWA on Eee PC with SD flash [Errata Security]

Posted: 09 Aug 2008 07:53 PM CDT

These are some notes for making a bootable SD flash card for my Eee PC from the "OSWA Assistant" bootable CD.

A bootable or "live" CD is a popular way of distributing hacking tools. You just put the CD into any computer and boot from it (instead of your normal hard disk). You get a Linux desktop and pointers to a list of common programs. The most famous of these is probably the "Backtrack CD.

Another one for wireless auditing is "OSWA Assistant". I've never used it before, but they were handing out CDs at BlackHat 2008 Vegas.

The computer I want to use for this Asus Eee 2G Surf", a $299 disposable laptop. Everybody should probably have a handful of these around to play with.

The problem with the Eee PC is that it doesn't have a CD-ROM drive, so I can't boot the OSWA CD. However, it does have three USB ports and one SD flash port. The SD port is especially nice for booting. You can get 2-gig SD flash cards for $7; they are hella cheap.

To make a bootable SD card from the CD, I went through the following steps.

Step 1: I copied all the files to the SD card. I first put the SD flash card into my Windows PC which became the "D:" drive. I downloaded the latest oswa-assistant.iso image from the OSWA website, opened it in WinRAR on my Windows PC, and extracted all the files to the "D:" drive. You can use pretty much any tool for extracting the files, I just happened to have WinRAR handy. I didn't even know that WinRAR could extract files from ISOs - I just assumed that is the sort of thing that WinRAR ought to be able to do.

Step 2: I needed to make the flash bootable. Most bootable CDs use a tool called "isolinux" to go through the boot process. There is a sibling tool called "syslinux" for making bootable Linux flash devices, such as USB flash or SD flash. I downloaded the syslinux archive, extracted to "C:\syslinux". I opened a command prompt, went to "C:\syslinux\win32" and ran "syslinux.exe -ma D:" to make the SD card bootable.

Step 3: I had to change the "isolinux" configuration to a "syslinux" one. I renamed the "D:\boot\isolinux" directory to a "D:\boot\syslinux" directory instead. I also had to rename the "isolinux.cfg" file in that directory to "syslinux.cfg".

Step 4: I had to configure the Eee PC to boot from SD, otherwise it will boot from its own hard disk. When the system boots, I hit "F2" to go into the BIOS configuration, and change the boot order so that Removable Devices are at the top of the list.

At this point, the system boots. However, there several problems. First, it complains "You passed an undefined mode number.", which refers to the fact that it doesn't understand something about the text mode screen. Simply hit to continue.

When it reaches "Starting udev hot-plug hardware detection...", it will hang for a while with the message "Starting udev hot-plug hardware detection… udevd-event[2706]: run_program: '/sbin/modprobe' abnormal exit". Don't worry, it will continue on with the boot process after about 5 minutes. It's a bit annoying though. I wish I knew what was failing.

Step 5: There was one fatal error. X Windows hangs looking for an AGP card. The In order to fix this, I had to edit the "D:\boot\syslinux\syslinux.cfg" file and put "noagp" on the second line:
APPEND ramdisk_size=100000 init=/etc/init lang=us apm=power-off vga=791 initrd=minirt.gz nomce loglevel=0 quiet BOOT_IMAGE=oswa noagp

Step 6: Profit!

Reporters "hacking" at BlackHat [Errata Security]

Posted: 09 Aug 2008 03:44 PM CDT

I was there when this happened: "Reporters At Black Hat Get Bounced For Hacking" (Slashdot).

The problem is the ying-and-yang of cybersecurity. On one hand, security is serious business. When you cross a line, people with guns show up at your door. On the other hand, learning about security is often playful and fun.

The "Wall of Sheep" rides the controversial grey area between the two. They sniff passwords from the conference network and display them (or at least, the first three letters) on a screen. It's a playful way of reminding people about the chronic problem that they are sending their passwords unencrypted on the network.

Whereas the primary BlackHat network advertised the fact that it was being monitored, different rules applied to the press network. A member of the French press didn't understand the difference between the two, pulled passwords from the press network, and attempted to submit them to the Wall of Sheep.

There was not malicious intent here. The guy didn't understand the difference between the two networks. His intent was to join the playful education game, not to hack into somebody's account.

I would suggest that CMP Media's response was a bit harsh. A private rebuke would be appropriate, but a public fuss goes too far. BlackHat is constantly mired in controversy between "education" and the often shady side of where that education comes from (vulnerability disclosure, revealing of trade secrets, etc.). I would prefer to see them err on the side of education, rather than erring on the side of "being serious about security".

FedEx Tracking number trojan [mxlab - all about anti virus and anti spam]

Posted: 09 Aug 2008 11:48 AM CDT

MX Lab has intercepted a few messages with the subject “[NO-REPLY] FedEx Tracking Number 26901603″ with an attached trojan. After the UPS Tracking trojan campaign it’s now time to use FedEx.

The content of the email has the same characteristics as the UPS trojan:

Unfortunately we were not able to deliver postal package you sent on July the 31 in time because the recipient's address is not correct. Please print out the invoice copy attached and collect the package at our office

Your FedEx

The email has attached the zip archive named FedEx_Invoice.zip with the executable FedEx_Invoice_N882874421.exe. The “tracking number” in the subject and file can change of course.

Virus Total results and MD5: da90a0c3000eb90ebc9394e5568c5c9a. 7 of the 36 anti virus engines detect the trojan so be carefull when you receive the message.

links for 2008-08-09 [delicious.com] [Andrew Hay]

Posted: 09 Aug 2008 08:00 AM CDT

Ubuntu: The Zealots are Coming [untangling the future...]

Posted: 08 Aug 2008 02:25 PM CDT

zealotCanonical recently invited me to give a talk in their booth at LinuxWorld 2008. I agreed and sent them one of my standard talks “in PDF format” as requested, but told them I’d have to give the talk on my laptop as it includes a live demonstration of some of our software. They were fine with all this, but when I showed up at their booth to do the talk I got a different story.

I was greeted by an extremely rude booth worker complaining of the fact that I needed to use my laptop. After arguing with me a good bit he advised me that I was “on my own” and stormed off. I plugged in and the presentation was up on screen ready to go. It was then that the Canonical zealots noticed that I would be giving my presentation on Windows! The booth worker returned to notify me that I “can not present.” After going back and forth for a good bit, it was decided that because my presentation laptop was running Windows XP I was banned from presenting. Because the audience was now expecting a talk, we all walked 30 yards to the Untangle booth and I proceeded to give the talk.

I find this incident to be very troubling. Firstly, The rudeness and temper displayed have no place at LinuxWorld especially from Canonical paid staff. Secondly, Ubuntu has remained more religion-free of any linux distribution to date but the zealots may be endangering that.

Ubuntu has managed to skate above most of the religion and licensing wars that typically envelope a linux distribution. Thats not to say that religion and licenses aren’t important and worth fighting for, but Ubuntu benefited from being more aligned to a typical user. Developers care passionately about licensing, but users don’t even know how the stuff underneath is licensed and just want it to work. So while Debian GNU/Linux has “IceWeasel,” Ubuntu still has “FireFox.” Ubuntu also has proprietary drivers which make certain hardware function correctly. Many decisions were made that went against the ideals of free software but ultimately were compromises that benefits normal “human beings.

Ubuntu’s community has also remained fairly zealotry free. Many open source communities will spank new users for not asking questions in the proper geek etiquette. While this has its place, it is not conducive to drawing in new members which don’t know the proper geek etiquette of asking for help online.

The compromising aspects of Canonical and Ubuntu have been one of its strong points, but if Canonical continues to hire on more zealots it may endanger many of the elements which gave it success. An uncompromising strategy will also make commercial partnerships difficult for Canonical as zealots don’t typically like companies nor their commercial licenses. Furthermore, it makes me wonder if the Microsoft led software world is really so bad. Would Canonical be even more strong handed if given the chance?

The irony is that I do run my laptop on Ubuntu, but that I still use windows when its the best tool for the job (games, photoshop, excel, powerpoint, etc). Some of the Canonical higherup’s came by and apologized for our treatment which gave me hope. I hope this incident is not a reflection of their future direction and culture, but actions can speak louder than words at times.

Compensating Controls for Legit business cases [An Information Security Place]

Posted: 08 Aug 2008 11:17 AM CDT

Here’s one of those times (link NSFW) when doing something that seems contrary to good security practices because of a legitimate business need can cause you problems.  This guy had an email account get hacked by someone, and the offender sent out a nasty email to everyone.  But the email account was for a deceased employee who used to handle customer relations, and they needed to keep the address alive so emails could be forwarded to another employee.  OK, first, that would constantly creep me out if I was getting email addressed to a dead person.  But the real point is that sometimes legitimate business needs that go counter to good security practices can cause problems.  It sucks, but that is the way it is. 

However, if there is a legitimate business need that could potentially cause security headaches, it is up to the security staff to put in a compensating control.  According to the poster, there was a real business need to have this email account alive.  So if that is the case, why didn’t they just create an alternate email address for the currently living employee instead of keeping the email account alive?  Maybe their software wouldn’t allow it, but I doubt it.  In this case, there was no compensating control.

To me, it sounds like someone just did the easiest thing (though that can be argued because they had to setup a forwarding address, which is really just as much labor as setting up an alternate email) instead of making this secure.  It’s a lesson, though thankfully they didn’t cause any terrible harm (unless you are extremely offended by dirty pictures).


CNN Alerts: My Custom Alert malware [mxlab - all about anti virus and anti spam]

Posted: 08 Aug 2008 06:49 AM CDT

After a very long outbreak based on the CNN Dailty Top 10 it’s now time for something different: CNN Alerts: My Custom Alert. This new version brings more of the CNN malware outbreak in a changed lay out but with the same tactics.

Again, the email itself is very nice CNN branded but contains a link that leads you directly to the malware. The senders address is spoofed and is not coming from cnn.com but this is not guaranteed for the future.

The link behind Full Story - so don’t click on this one - brings you to a, in this case, Russian web site where you need to download the proper Flash player to view the video. When you accept the malware file adobe_flash.exe is downloaded.

The trojan has the same specs of the CNN Daily Top 10: Trojan-Downloader.Agent.EL. This trojan will create a new process on an infected machine: %System%\cbevtsvc.exe and creates a new service CbEvtSvc in the system. Quite some registry modifications are being made as well as a direct IP address connection to a remote host on TCP/IP port 443.

LDAP Headache [BumpInTheWire.com]

Posted: 07 Aug 2008 10:58 PM CDT

I actually developed a headache today from trying to get our Citrix NetScaler demo unit to talk to a domain controller via LDAP.  I tried everything this side of the sun trying to get it to talk to the DC.  Perseverance paid off.  About 15 minutes ago (@ 10:30 PM no less) I was able to claim victory over the NetScaler beast.  The weapon that slayed the beast?  A damn reboot!  Now that that is behind us we can get serious about evaluating this device.  This afternoon I was thinking that I had never worked on a more frustrating piece of equipment in my entire career.  I no longer feel that way but with a headache from chasing my tail all afternoon that was the way I felt.  Not letting the computer win is one of my mottos and this one almost got me!!

Its been an exhausting week and a huge night for change control.  Have a great Friday and weekend!

Black Hat 2008 Day 2: Web 2.0 mayhem [Security Incite Rants]

Posted: 07 Aug 2008 08:14 PM CDT

As you are reading this, my flight back to ATL should be climbing up through 10,000 feet on my way back home. Another year, another Black Hat, another set of things that are sure to kill us somewhere down the line, another few parties, and another frantic ride back to the airport.

Day 2 was a bit more sedate than Day 1, though that may have more to do with my hangover (that I finally chased away about 3 PM). I also skipped the keynote, though I heard it was pretty good. Here's a brief rundown of the sessions I did today.

  • Satan is on my friends list: This session went deep into some of the tricks you can use on Facebook, MySpace, and LinkedIn to make the application do unexpected things. The most interesting thing is that the attacks were shockingly simple. No wonder these social network sites are such havens for malware, leveraging XSS, CSRF and all sorts of other attack vectors. Shawn Moyer and Nathan Hamiel also ran a little experiment in adding Marcus Ranum (with his permission) to LinkedIn and added about 60 connections within a day. One of the last recommendations was to make sure you had a profile on each of the sites. Not because you plan to use it, but because you should get one out there before the bad guys do. At least the inimitable Ranum now has a profile.
  • No More Signatures: Defending Web Apps with ModProfiler: I was pretty disappointed with this session from Breach's Ivan Ristic and Ofar Shezaf. They spent the first 45 minutes explaining what a web application firewall is and some specifics about ModSecurity (the open source version). I was there to hear about ModProfiler, which is a new project focused on more effectively leveraging a positive (if it's not explicitly allowed, then it's not allowed) web application security model. They only spent maybe 30 minutes on that and didn't show the code or a demo or anything. Maybe they did in the last 15 minutes, but I left before then. You shouldn't make people wait for an hour to get to the technology mentioned in the title of the pitch.
  • Get Rich or Die Trying: Jeremiah did a great job going over quite a few scams that really leverage web technologies, kind of. Most took advantage of weaknesses in the web application, as opposed to actually security flaws. And to see some of the real simple stuff (like having press releases accessible before they hit the wire by figuring out the naming sequence), and how one woman made about $400,000 by selling merchandise that QVC shipped her even after she canceled the transaction. So, the moral of the story is that company's should probably pay their Q/A people a lot more money (or get new ones) to find this stuff before an application goes live.

And that's all she wrote. Back to a regular publishing schedule next week. Enjoy your weekend.


Black Hat: The Risks Of Trusting Content [securosis.com]

Posted: 07 Aug 2008 06:03 PM CDT

I’m sitting in the Extreme Client-side exploitation talk here at Black Hat and it’s highlighting a major website design risk that takes on even more significance in mashups and other web 2.0-style content.

Nate McFeters (of ZDNet fame), Rob Carter, and John Heasman are slicing through the same origin policy and other browser protections in some interesting ways. At the top of the list is the GIFAR- a combination of an image file and a Java applet. Since image files include their header information (the part that helps your system know how to render it) and JAR (java applets) include their header information at the bottom. This means that when the file is loaded, it will look like an image (because it is), but as it’s rendered at the end it will run as an applet. Thus you think you’re looking at a pretty picture, since you are, but you’re also running an application.

So how does this work for an attack? If I build a GIFAR and upload it to a site that hosts photos, like Picassa, when that GIFAR loads and the application part starts running it can execute actions in the context of Picassa. That applet then gains access to any of your credentials or other behaviors that run on that site. Heck, forget photo sites, how about anything that let’s you upload your picture as part of your profile? Then you can post in a forum and anyone reading it will run that applet (I made that one up, it wasn’t part of the presentation, but I think it should work). This doesn’t just affect GIF files- all sorts of images and other content can be manipulated in this way.

This highlights a cardinal risk of accepting user content- it’s like a box of chocolates; you never know what you’re gonna get. You are now serving content to your users that could abuse them, making you not only responsible, but which could directly break your security model. Things may execute in the context of your site, enabling cross site request forgery or other trust boundary violations.

How do manage this? According to Nate you can always choose to build in your own domain boundaries- serve content from one domain, and keep the sensitive user account information in another. Objects can still be embedded, but they won’t run in a context that allows them to access other site credentials. Definitely a tough design issue. I also think that, in the long term, some of the browser session virtualization and ADMP concepts we’ve previously discussed here are a god mitigation.


BlackHat Post [An Information Security Place]

Posted: 07 Aug 2008 02:13 PM CDT

Blackhat, Defcon, security conference, hacking, DNS vulnerability, DNS exploit, virtualization security, etc.

There, I posted about BlackHat.


Insurers Mining Consumer Data [securosis.com]

Posted: 07 Aug 2008 12:30 PM CDT

I saw this article in the Arizona Republic Monday about how the insurance companies are able to save money by gathering health care records electronically, make more accurate analyses of patients (also saving money) and be able to adjust premiums (i.e., make more money) based upon your poor health or various other things. You know, like ‘pre-existing’ conditions, or whatever concept they choose to make up.

Does anyone think that they will be offered an option? The choice of not providing these electronically? Not a chance. This will be the insurer’s policy, and you can choose to not have insurance, or turn over your records.

Does this violate HIPPA? To me it does, but since you are given the illusion of choice, their legal team will surely protect them with your ‘agreement’ to turn over these electronic documents. And why not, with all the money they saved through data analysis, they have plenty of money for their legal expenses.

Does anyone think that the patient will be allowed to see this data, verify accuracy, or have it deleted after the analysis? Not a chance. Your medical data will most likely have a “half life” longer than your life span. That stuff is not going anywhere, unless it is leaked of course. But then you will be provided a nice letter in the mail about how your data may or may not have been stolen and how you can have free credit monitoring services if you sign this paper saying you won’t sue. It’s like watching a car wreck in slow motion. Or a Dilbert comic strip.

Let me take another angle on the data accuracy side of this proposition. When I first graduated college, I walked down the street to open a checking account with one of the big household names in banking. For the next 12 months I received a statement each month, and not one of those banking statements was 100% correct. Every single statement had an error or an omission! My trials and angst with a certain cell phone provider are also well documented. Once again, charges for things I did not order, rates that were not part of the plan, leaked personal data, and many, many other things during the first year. I had one credit card for a period of 12 years, and like clockwork, a late fee was charged every 6-9 months despite postmarks and deposit dates which conclusively showed I was on time. I finally got tired of having to call in to dispute it, and just plain fed up with what I assumed was a dastardly business practice to generate additional revenue from people too lazy to look at their bills or pick up the phone and complain. I had a utility company charge me $900, for a single month, on a vacant home I had moved out of three months prior. One out of two grocery store receipts I receive is incorrect in that one or more prices are wrong or one of the items scans as something that it is not. Other companies who saved my credit card information, without my permission, tried to bill me for things I did not want nor purchase. Electronic records typically have errors, they are not always caught, and there may or may not be a method to address the problem.

The studies I have seen on measuring the accuracy of data contained within these types of databases is appalling. If memory serves, over 20% of the data contained in these databases is inaccurate due to entry or transcription errors, is incorrect logic errors in transformational algorithms, or has become inaccurate with the passage of time. That later item means each subsequent year, the accuracy degrades further. There is no evidence that Ingenix will have any higher accuracy rates, or will not be subject to the same issues as other providers, such as Choicepoint. They say computers don’t lie, but they are flush with bogus data.

Now think about how inaccurate information is going to affect you, the medical advice you receive, and the cost of paying for treatment! There is a strong possibility you could be turned down for insurance, or pay twice as much for insurance, simply because of data errors. And most likely, the calculation itself will not be disclosed, for “Pharmacy Risk Score” or any other actuarial calculation. If this system does not have a built-in method for periodically certifying accuracy and removing old information, it is a failure from the start. I know this is a recurring theme for me, but if companies are going to use my personal information for their financial gain, I want to have some control over that information. Insurance companies will derive value from electronic data sharing because it makes their jobs easier, but the consumer will not see any value from this.


Black Hat 2008 Day 1: We're Screwed! [Security Incite Rants]

Posted: 07 Aug 2008 11:39 AM CDT

Day 1 of Black Hat 2008 is in the books. It's great to see a lot of old friends, and it seems this year (more than the last two) many of the folks I'm talking to are more focused on the networking than on the session. Not me. I'm still fired up about seeing really smart guys discuss what they are up to and give me a lot of food for thought about how we need to continue protecting ourselves.

I ended up hitting almost all the sessions I wanted to, so let me go through some quick observations.

  •  Keynote: Ian Angell, Professor London School of Economics - Professor Angell is a pretty engaging character and I enjoy his systematic skewering of the common knowledge about risk and what we can really control. Which is basically nothing.
  • Bad Sushi: Nitesh Dhanjani and Billy Rios - As mentioned on Tuesday, I was looking forward to this session and it was a lot of fun. Especially when they pulled the RickRolling prank on the phishers and to see how many of them fell for it was great. Sometimes it's nice to strike back, although it doesn't have much of an impact on how we do things.
  • Kaminsky's DNS talk: It was packed. I mean PACKED. And Dan delivered the goods. The thing that resonated the most is how dependent we are on DNS for pretty much everything, and if DNS is not trustworthy, we've got a real problem. Lots of innovative ways to comprise stuff assuming the bad guys own DNS and plenty of other goodies. I have some larger thoughts about the DNS topic, which I'll write up for Monday, but the only conclusion you can really draw is that we're screwed. But isn't that what Black Hat is all about? Giving security folks that uneasy feeling of not being able to keep up with all the attacks?
  • Hoff's Four Horseman: The Hoff delivered the goods as well. First of all, the slides were very pretty. You should check them out. But aside from the aesthetic beauty of the content, Chris really put into question a lot of the assumptions many folks are making about securing the virtualization layer. Rich did a good write-up of Hoff's pitch and other Black Hat topics.
  • Network Monitoring, Bruce Potter: I hadn't seen Bruce speak before and it was very entertaining. But most interesting was the very compelling case he made for why you need to monitor your networks using something like Netflow. He also talked a bit about a new open source tool called Psyche that his team is releasing and it looks pretty cool. It's nice to see the idea of network monitoring being discussed on the big stage. Of course, there are folks like Bejtlich that have been beating that drum for years. But given all the other stuff we're seeing at the show this week (basically we're screwed), the idea of figuring out everything isn't going to happen. So we need to REACT FASTER and monitoring is the way to do that.

The Mogull and I recorded a quick podcast yesterday as well. We talk about Kaminsky and Hoff's pitches and come the conclusion that basically we're screwed. You can check it out at the Network Security Podcast site.

Before I head off to Day 2, I have to relay my latest Vegas star sighting. To wrap up the night Shimmy, Mitchell, Adrian Lane and I are catching a little late night breakfast at Caesars. Sitting right next to us is Jeff Dye, one of the finalists on this season's Last Comic Standing. You all know what big fans of comedy the Boss and I are, so it was great to see him in person. He's a very nice guy and he really is that pretty. They are announcing the winner of the show tonight, so I told Jeff we'd be pulling for him.

Only in Vegas...

No comments: