Posted: 13 Aug 2008 10:54 PM CDT
His book, Applied Security Visualization, is now out:
Last Tuesday when I arrived at BlackHat, I walked straight up to the book store. And there it was! I held it in my hands for the first time. I have to say, it was a really emotional moment. Seeing the product of 1.5 years of work was just amazing. I am really happy with how the book turned out. The color insert in the middle is a real eye-catcher for people flipping through the book and it greatly helps making some of the graphs better interpretable.I'm really excited, and look forward to reading it!
Posted: 13 Aug 2008 10:34 PM CDT
Via BlackHat2008, TechWebTV has published another excellent interview video, this time discussing the Xen Hypervisor and the inherent security implications in virtualization, along with the now, nearly ubiquitous BluePill project. Joanna Rutkowska, a security researcher specializing in malware, at Singapore based COSEINC, focuses on these and other issues. Without further ado, here’s the video:
Posted: 13 Aug 2008 10:33 PM CDT
Posted: 13 Aug 2008 05:47 PM CDT
A hearing will be held in Boston tomorrow to decide whether or not the restraining order gagging the MIT students from talking about the vulnerabilities they have found should be lifted. Even though the Defcon presentation is widely available and the MBTA disclosed the “Confidential” memo from the MIT students in their court filings, they are seeking a permanent speech injunction. An august group of computer scientists has signed a letter which will be entered into the record for the case. This list includes: Dave Farber of Carnegie Mellon University, Steve Bellovin from Columbia University, David Wagner from UC Berkeley, Dan Wallach from Rice University, Matt Blaze from the University of Pennsylvania, and Bruce Schneier. An excerpt:
It will be interesting to see what arguments the MBTA uses to keep the students from speaking on a topic where all the important vulnerability information seems to have already disclosed. Sure the students haven’t presented a cookbook exploit tool but they have also stated they have no intention of doing so.
Perhaps the court will investigate what the MBTA’s and their technology vendors response has been to the MiFare card vulnerabilities that were disclosed responsibly. If there has been no vigorous response to responsibly disclosed vulnerabilities of many months ago how can they say with a straight face that are truly responding to new security information and just need more time.
Posted: 13 Aug 2008 05:18 PM CDT
Posted: 13 Aug 2008 05:00 PM CDT
Posted: 13 Aug 2008 04:44 PM CDT
Alan Harten of SecurityWatch UK reports Professor Howard A. Schmidt (formerly the chief strategist for the US CERT Partners Program of the Department of Homeland Security) has been appointed President of the Information Security Forum (ISF). Professor Schmidt also possesses membership in the Permanent Stakeholders Group (PSG) for the European Network Information Security Agency (ENISA), the International Advisory Board member to the International Multilateral Partnership against Cyber Terrorism (IMPACT), and the High Level Experts Group for the ITU's Global Cyber Security Agenda. Professor Schmidt is also a member of the board of (ISC)2.
Posted: 13 Aug 2008 04:16 PM CDT
So as many of the readers may be aware there was recently a series of “attacks” against some folks in the security industry, although details are light it appears that someone was able to compromise one system - say a blog - obtain the password and then use that same password to compromise other systems - say an email account.
I have been meaning to post on this since I often find myself signing up for various on-line things (porn, bittorent sites, and of course my “Breaking 2 Electric boogaloo” fan club group ) but I have a poor memory so I use the same password everywhere (in case you are curious it is hoff1 or chrishoff1, if it requires more than 5 characters) and realized, of course, that if I use that same password/uname to access some backwoods, hillbilly site, that site could be compromised and now the nefarious interlopers would have my access credentials for a whole host of systems.
Well I thought I had better change my behavior, but I was stuck with the same problem of having to remember multiple passwords, which became a pain, so I switched to passphrases to deal with my memory issues. passphrases are easier to remember, have higher entropy, and are more secure? Well that isn’t completely true, but hey 1 out of 3 ain’t bad - MSFT has some good discussion on passwords vs. passphrases (here), (here), and (here).
Ok so they are easier to remember, let’s test this out using passwords..
System 1 (this blog) password = hoff1
System 2 (my email) password = choffis2
System 3 (my other email) password = choffis3
System 4 (my bank) password = choffis@ss (need this one to be real secure)
See I quickly forget which is which and I am stuck with the problem of having to periodically reset them and then it screws up my whole game plan.
Quick anecdote: While I was with Gartner I was talking to one of the largest school districts in the country, at the time they had implemented a very draconian password policy - must be 8 characters minimum, must include alphanumeric, must be reset every 60 days, can never use the same password twice, account would lock out after 3 bad password attempts, etc..anyway the user population was, for the most part, only part-time computer users and were really struggling to come up with creative passwords for their various systems, additionally they found several of the faculty was writing the passwords down so they could remember - Bueller anyone? The result was a 40% increase in technical support calls to perform password resets (No they had not yet implemented single or reduced sign on and no they had not yet implemented a mechanism for a user to provision themselves or reset their own passwords) this was impacting budget and was costing real hard dollars, and they experienced no material improvement in security access controls, in fact they probably created more opportunities for compromise than they removed.
Anyway let’s see what happens when I switch to passphrases…
System 1 (this blog) password = hoffistheman
System 2 (my email) password = hoffisthemanforhotmail
System 3 (my other email) password = hoffisthemanforyahoomail
System 4 (my bank) password = hoffisthemanforallmybankingneeds
Although this doesn’t do much for my security, it does offer some benefits, one is it is a lot easier to remember, 2 if I need to make a change or reset I can simply change everything from “istheman” to “isnttheman” and I achieve goal #1, and 3 if someone compromises system 1 they are not automatically granted access to system 2, unless of course they have read this blog posting.
In the end passwords suck, they do little for security and create a lot of headaches, which of course is why even people in security tend to reuse the same password. In the 60’s hippie chicks rallied around a “burn your bra” mantra, perhaps it is time for a “burn your password” mantra - OK, I can rally around the bra thing, but as useless as passwords or passphrases are, we are still at their mercy for most of our computing practices.
Posted: 13 Aug 2008 12:48 PM CDT
Imperva launched its technology partner ecosystem called OpenSphere almost a year ago and one of the founding members is Crossbeam Systems. What follows is a blog posting from Sanjay Raja, Sr. Product Line Manager at Crossbeam. This is the first such posting from our partners and I hope to follow-up with many more value additions that are being developed as a part of OpenSphere.
-Rohit Gupta, VP Business Development, Imperva.
The reality of most large enterprises is that they need to support specialized classes of security applications on their networks to comply with regulations and protect against evolving threats. Often these security apps must be integrated within a layered security architecture. Imperva's SecureSphere's application data security products are a perfect complement to existing Firewall and IPS technologies as they protect enterprise business data from the database, through the application.
The problem today is that companies are challenged to manage this growing sprawl of mission-critical security apps and associated security infrastructure without sacrificing the performance to ensure non-stop availability.
In the real-world - enterprises have to do extensive testing to make sure the mix of security applications they want to run are going to interoperate and work at the performance levels they demand.
This is where Crossbeam's iBeam program has become so critical - because it is extremely time-consuming and manual for customers to properly deploy, test or add new applications to their networks. They have to get these deployments staged and qualified, while addressing the complex and unpredictable scenarios that can arise during testing.
The iBeam program essentially takes Crossbeam's years of experience deploying best-of-breed security applications deep within carrier-class networks - and automates it. The result is that customers can leverage the network-virtualization and application-consolidation benefits of Crossbeam's Next Generation Security Platform to deploy the applications of their choice (such as SecureSphere) and scale them as needed.
iBeam mimics the complexity of these networks and runs a battery of interoperability tests and performance traffic through various permutations to ensure the success of security apps in every possible scenario. Ultimately, the goal is to let leaders like Imperva excel at delivering the best in security, while Crossbeam delivers the high-performance platform that enables enterprises to deploy and intelligently virtualize the security apps of their choice to meet the growing demands of business.
We give our ISV partners the tools to integrate, test and self-certify their apps on Crossbeam so they can control to anticipate the unpredictability of customer environments. The result is a frictionless partnering environment with ISV partners so that customers can deploy the combined solution with a high degree of confidence.
- Sanjay Raja, Sr. Product Line Manager at Crossbeam
Posted: 13 Aug 2008 10:56 AM CDT
Posted: 13 Aug 2008 07:11 AM CDT
It's time to wrap up Step 5: Selling the Story. We finish the discussion by talking about how to get funding, when the budget monkeys have told you no. Basically we have to take a "grass roots funding" approach to go to the business leaders directly, make the case, and get the funding we need. It's kind of like selling cookies door to door. We have to be persistent and make the case as to why it would be a good purchase.
This requires us to broaden our skills and likely move out of our comfort zone quite a bit. It's uncomfortable, but it's a good thing. Just remember to focus on the "customer" issues, and that the Reasons to Secure. The business leaders will respond to that. Ultimately you may not get the funding you need, but you won't go down like a whimpering puppy. You'll go down swinging, trying to do the right thing.
Running time: 6:29
Posted: 13 Aug 2008 05:27 AM CDT
I could spend hours talking about how much of a good time Chris Mills and I had at DC16 or I figured you all could just tune in for EP8 which we’ll be recording tonight. There are a lot of people we need to thank for their hospitality as well as the free beer! We [...]
Posted: 12 Aug 2008 10:35 PM CDT
Thanks to Alex S for the heads up…VMWare licensing bug blacks out virtual servers (here)
Wow! Just when you thought patch Tuesday couldn’t get any worse.
Posted: 12 Aug 2008 09:22 PM CDT
So there is a particular security product manufacturer that Accuvant sells that I cannot name since I will get in trouble (love ya’ Dan!) that has a good product, but their support has been horrendous lately. Actually, even their product has been slipping, now that I think of it. And it is starting to hurt the relationship we have with a couple of customers because we recommended the product back when they were kicking some major butt all around. And it really just pisses me off because this started just a few months before they got bought by a big company. Oops, man, that probably gave it away, didn’t it? Huh? Wadda mean there’s only been about 20 companies that fit that description? Oh yeah…
As I was saying, this started just a few months before the announcement of their getting snapped up. This just seems backwards to me. Does management just get that distracted that their quality starts sucking wind? Shouldn’t they be trying to concentrate more on quality? Maybe the deal was pretty much done and they figured what the heck? The new guys will clean up the mess?
I experienced that back when Juniper bought Netscreen as well. I was a customer, and their support went straight to hell for about a year, then it all came back together. But I kinda expected that to happen. That was a big deal. The company I am talking about is not that big, so there should not be a drop in quality like that. And the Juniper / Netscreen issues didn’t start until AFTER the buy out. This is happening BEFORE the buy out.
So if there are any manufacturers reading right now, please think about this. If you are getting ready to sell, please do everything you can to maintain quality in your product and support. Don’t screw over your employees (don’t know if that is happening here, but the drive of the sales team seems to have dropped dramatically). Because if your quality drops, I am going to quit recommending you, and so will a lot of people. Of course, if you already have your money and are at the beach, you are probably not reading this and couldn’t give less of a crap anyway.
Posted: 12 Aug 2008 08:49 PM CDT
The web has started commenting on twitter's decision to limit the number of accounts that a given user can follow. Having a hard limit is a smart move for multiple reasons. Not only does it allow you to more finely bound the computational load of the message passing architecture, it negatively impacts only two groups, namely spammers and the obsessive-compulsive. This is a good first step that I have pointed out in an interview once before. I suspect that Twitter will also be working on a throttling policy as well as an IP and content blacklisting technology as follow-on mechanisms to continue to battle spam.
Posted: 12 Aug 2008 07:01 PM CDT
Posted: 12 Aug 2008 06:05 PM CDT
At BlackHat, security researchers Billy Rios Nathan McFeters presented "The Internet is Broken" which contained information on GIFARs, a term meaning GIF image files combined with Java ARchives (JAR). These files could be uploaded to sites that allow image uploading (such as many site's member photos), to run code in the context of that site - getting around the "same origin policy" that browsers impose. This works because GIF images (along with many other file types) store their header in the beginning of the file, and ZIP archives (which is what JAR files are made of) store their data at the tail.
The folowing video demonstrates this technique.
Posted: 12 Aug 2008 05:43 PM CDT
Another BlackHat has come and gone. As usual, it was a very busy week juggling customer meetings, recruiting, conference planning, vendor parties, and, oh yes, the actual BlackHat presentations. I had a fantastic time catching up with old friends and finally getting the opportunity to meet more of the Security Twits and others in the security community. I didn’t submit a talk this year, but nevertheless, fake Dan Kaminsky was still excited to see me.
My favorite talk, as expected, was the Sotirov/Dowd talk on How To Impress Girls With Browser Memory Protection Bypasses. The attack is a conceptually simple, yet completely reliable technique for exploiting vulnerabilities in web browsers. Of course, the media has sensationalized the impact of their findings, but ultimately, this is still significant as far as browser-based exploits are concerned (here is a more accurate report). It’s worth mentioning that part of the technique allowing them to load a .NET DLL at an arbitrary location under Vista was reliant on an implementation bug wherein the OS disables ASLR if the version in the .NET COR header was below a certain value. However, the address space spraying and stack spraying techniques are likely to be extended to other platforms utilizing similar memory protection mechanisms.
As for the girls? I can report first-hand that the ladies at TAO on Wednesday night were hanging on Alex’s every word. They were particularly impressed when he whipped out the laptop for a live demo. Unfortunately, none of the dozen iPhone owners in the immediate vicinity thought to snap a picture (too busy Twittering). Oh well.
I also enjoyed Hovav Shacham’s talk on return-oriented programming. Simply put, he described a generalization of the return-to-libc shellcode approach with the intent to demonstrate that one could achieve Turing-complete computation using “found code” in process images. By chaining together series of mini-computations ending in return (RET) instructions, it was possible to build higher-level programming constructs such as branches and loops. The nature of the x86 instruction set provides some flexibility because instructions are interpreted differently depending on how you align the instruction pointer (i.e. the old shellcode trick of searching the process image for any JMP EBX instruction and using that as your EIP). In RISC architectures such as SPARC, however, you don’t have that luxury; if your %pc isn’t aligned properly you get a bus error. So it was quite interesting to see that they were able to extend the concept to RISC. The practicality of the attack technique is limited by the fact that the shellcode is tuned to a particular binary image — if the shellcode was built using instructions extrapolated from glibc 2.3.5, it won’t work for a system running glibc 2.4.
I thought Scott Stender’s talk on Concurrency Attacks in Web Applications was interesting as well. In a nutshell, spewing thousands of simultaneous requests at web application transactions that are not thread-safe can create interesting problems. In the presentation, Scott ran his demo against a VM running on the attack machine. I found myself wondering how effective the same attack would be over the Internet — would it be significantly less reliable (or not at all)? Race conditions are generally easier to exploit locally than remotely due to more predictable execution conditions. Certainly this is an under-tested vulnerability class though.
One presentation I wasn’t able to attend but want to follow up on is Nate McFeters, John Heasman, and Rob Carter’s talk which discussed the GIFAR attack I’ve been hearing so much about lately. The gist is that you can create a file that is both a valid GIF and a valid JAR, then use some Java applet tricks to initiate HTTP requests on behalf of the victim.
Finally, the Pwnie Awards didn’t fail to disappoint. Drama ensued over the Most Overhyped award, but at least this year some of the winners showed up to claim their awards! Halvar rapping Symantec lyrics was also quite memorable.
All in all, a fun and informative week, but as usual, I was relieved to get the hell out of Vegas and head home on Friday morning.
P.S. For a much more entertaining BlackHat/Defcon Recap, read Jennifer Jabbusch’s account of the week’s events. It’s my favorite one so far!
Posted: 12 Aug 2008 05:42 PM CDT
Google (NasdaqGS: GOOG) has released it’s open source cryptographic toolkit, monikered KeyCzar, for non-crypto inclined developers.
Posted: 12 Aug 2008 05:34 PM CDT
We’re proud to announce a new whitepaper dedicated to best practices in endpoint DLP. It’s a combination of our series of posts on the subject, enhanced with additional material, diagrams, and editing. The title is (no surprise) Best Practices for Endpoint Data Loss Prevention. It was actually complete before Black Hat, but I’m just getting a chance to put it up now.
The paper covers features, best practices for deployment, and example use cases, to give you an idea of how it works.
Posted: 12 Aug 2008 12:31 PM CDT
Posted: 12 Aug 2008 10:38 AM CDT
Posted: 12 Aug 2008 08:57 AM CDT
We will be recording Episode 8 on Wed, Aug 13th at 7pm. The live stream will be up, join us on IRC for the url.
Posted: 12 Aug 2008 06:52 AM CDT
August 12, 2008 - Volume 3, #68
Top Security News
What kind of parachute fits on a pwnie?
Top Blog Postings
Too much GRC? It's more about tactical vs. strategic
Posted: 11 Aug 2008 10:52 PM CDT
The MBTA (Massachusetts Bay Transportation Authority) has apparently been hoisted upon it’s own petard..er, bus… The MBTA filed (Case 1:08-cv-11364-GAO) a federal complaint, Friday, to prohibit MIT (Massachusetts Institute of Technology) researchers/students from divulging (during a talk to be presented at DefCon) exploitable vulnerabilities discovered in the payment architecture for Boston’s subway according to PCWorld. The students: Zack Anderson, Russell “RJ” Ryan and Alessandro Chiesa all complied with US District Judge Douglas P. Woodlock’s decision, based on advice from counsel - Jennifer Granick an attorney with the EFF (Electronic Frontier Foundation).
 The Register
Posted: 11 Aug 2008 07:05 PM CDT
Last week, the US Justice Department charged 11 people with stealing more than 40 million credit- and debit-card numbers from nine retailers, calling it the largest U.S. identity theft prosecution. Kudos for all that were involved in this operation. The Chronicles of Dissent blog (One of the best sources of privacy related sources) identified that some of the retailers mentioned did not disclose the breach earlier.
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|