Posted: 24 Aug 2008 05:02 AM CDT
I recently stumbled across the CVSS v2 vulnerability scoring method – as I was writing a post about risk vernacular. Per the CVSS v2 complete guide, "The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impact of IT vulnerabilities." As I started highlighting parts of the guide that were thought provoking from a risk perspective, I realized this would probably result in at least two posts – maybe three. So off we go…
I would encourage anyone reading this to perform their own review of CVSS and how it can possibly augment their own risk assessments efforts. In my opinion, there are some really useful "metric vectors" that provide a simple yet powerful way to analyze a vulnerability. In addition, I really like how they have a simple "scoring vector" – essentially a shorthand representation of all the individual "metric vectors". I could see how this could be really useful for archiving / documenting purposes but for also being to programmatically manipulating for other purposes.
Thought 1: One of the first things that stood out to me as I started reading the CVSS guide was on page three, where they talk about "prioritized risk". While I agree that their vulnerability score can be considered contextual and be used to compare variance in multiple vulnerabilities– I do not agree that it is representative of the actual risk to the organization.
Here is why.
No where in CVSS is there a metric for gauging how often assets within your environment - that have the vulnerability being analyzed- are being attacked let alone compromised. Now, I am not implying that the authors and maintainers of CVSS are trying to mislead security professionals – but I think this underscores a problem within our industry about knowing what risk is, the elements that make up risk, and risk vernacular.
Let's talk about vulnerability for a minute. Generally speaking, it can be something (noun, a weakness) or a state / condition (adjective, my application is highly vulnerable to x). It would appear that CVSS accounts for both because you use CVSS to determine how vulnerable you are to vulnerability. Sounds confusing – but not all is lost.
FAIR – the risk assessment methodology I use - accounts for vulnerability as a condition. Within FAIR, vulnerability is derived from "threat capability" (the percentage of my threat community that can overcome control resistance) and "control resistance" (the percentage of control resistance I have against the "threat population" as a whole; for FAIR, threat community is a subset of threat population). When you have and can leverage a methodology and risk taxonomy like FAIR – you can see how easy it is to not take for granted what I would call risk term generalizations – using terms without truly understanding how they should be properly used or not knowing what they really mean. Just to reiterate – vulnerability is an element of risk – not risk itself.
Thought 2: On page 6, section 1.7 of the guide "Quick Definitions", "threat" is defined as the "likelihood or frequency of a harmful event occurring". This is the closest to "threat event frequency" or "loss event frequency" that CVSS comes close to touching. Threat can be both a noun and verb – but I have yet to see a dictionary that includes likelihood in its definition. It may sound like I am splitting hairs on definitions and picking on the CVSS folks – this is not my intention; but some of the concepts being discussed are foundational to understanding risk.
To wrap this first post about CVSS, I would offer the following:
1. That the CVSS-SOG consider participating in the The Open Group; specifically in the "Risk Management and Analysis Taxonomy" forum.
In the next CVSS related post, I will focus more on the CVSS Metric Groups and how these have forced me to take a step back and evaluate the rigor and consistency I apply to risk assessments.
Posted: 23 Aug 2008 03:11 PM CDT
At our recent Defcon 16 talk on Careers, Lee Kushner and I released a survey on careers in the information security industry.
Lee and I have spent the last couple of years having a good number of conversations on the way that people navigate careers in this industry, and we have talked about it at a few conferences now. But we got really tired of not having any real data on the topic. There are a good number of “career” or “salary” surveys that are done every year, but all of them have a particular slant - whether they’re performed by a professional organization or a media outlet, there’s a particular audience that is served by the survey that tends to slant the results toward a particular segment of the industry.
Lee and I were lamenting this a few months back, and one of us said: “Man, wouldn’t it be fantastic if there was a survey that covered the entire breadth of the industry, with no particular audience as a target?”
Since there wasn’t, we decided to create one. And, since we’re not great survey experts, we worked with Dr. Max Kilger, a Ph.D. from Stanford who has done great work with the the Honeynet Project. Max’s brilliant guidance helped us turn the survey into something useful for gathering real, unbiased data on what’s going on in the industry.
So, I’m asking - please help us out with this one by filling it out. We’d love to be able to come back at the end of 2008 and give some real data to the industry on what’s actually going on out there
Posted: 23 Aug 2008 09:34 AM CDT
As announced on a Fedora mailing list, some Fedora servers were illegally accessed and “a small number of OpenSSH packages” were singed by the intruder. The servers were taken offline quickly after the breach was discovered. As a security precaution, Red Hat has changed the signing keys for Fedora, updated OpenSSH packages and also issued [...]
Posted: 23 Aug 2008 08:31 AM CDT
Posted: 22 Aug 2008 09:08 PM CDT
We tossed him a shirt while he was at the IOActive party just before we ventured up to the Core Impact party in Ceasars Palace. Thanks for your support Dan!
Posted: 22 Aug 2008 08:46 PM CDT
Thanks to Mubix for his posting on ZDNet, below you will find a link that describes all of the latest tools that were presented at Defcon 16. Use them at your own discretion and make sure you have permission if using them on an enterprise network! As Mubix has no control over the ZDnet posting, [...]
Posted: 22 Aug 2008 03:56 PM CDT
I’m always surprised (for some reason) when I wander into a new corporate environment. Walking from the front door to the conference room of the day I invariably pass workstations with Facebook, MySpace or something equally inane gracing the screen. To say nothing of folks who install P2P apps on their corporate systems.
Where’d their brains go? It’s not like they don’t get the riot act read to them when they start a new job. For that matter most environments provide regular “security awareness” training. Still it continues.
CIO has an interesting article on the enduring disregard that white collar folks have for privacy.
How can we as security folks bridge the gap to help educate folks in a meaningful manner?
I’m going to take this box of chocolate bars and go for a walk.
Posted: 22 Aug 2008 03:32 PM CDT
That purveyor of all things craptacular, as it pertains to electronic voting, is in the news again.
From The Columbus Dispatch:
Recovering tax payer dollars for a start. What about auditing the results of past…oh, who am I kidding?
So, these machines that “lose” votes will not be fixed in time for the election? I say it’s time for one helluva refund for the State of Ohio. Get those pencils sharpened. Time to roll back to tried and true voting methods.
Posted: 22 Aug 2008 01:22 PM CDT
Posted: 22 Aug 2008 11:58 AM CDT
SQL Injection attacks uses form inputs in order to manipulate the SQL-server. In these kinds of attacks, the hacker may get control over the server, and thus access information that should be protected.
In order to better control and protect yourself against such attacks, it is always nice to know more about how they work. Kassaras has made a very nice How-To, where he explains in detail how you can set up a test system and then try to manipulate it.
The post is well worth a read!
Posted: 22 Aug 2008 10:37 AM CDT
It turns out that last week Fedora servers, including one that is used to sign packages, were compromised. Red Hat claims that the servers were taken offline as soon as the breach was “quickly” discovered.
The question lingers. When were they breached?
Running Fedora? You might want to check your systems just to be safe. Also, the folks at Red Hat are asking for anyone that has information on this breach to contact their legal folks via “fedora-legal SHIFT2 redhat com”. They make a point of noting that the Fedora and Redhat servers are separate. The Red Hat servers also use a different key that was not accessed.
Posted: 22 Aug 2008 09:37 AM CDT
Originally posted to the Zero Day blog on Ziff Davis: http://blogs.zdnet.com/security/?p=1735
This article was also referenced in a Dark Reading blog post by John Sawyer: http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=162049
All updates will reside here as I have no control over the article on Ziff Davis.
DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly unique. I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!”, so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse it’s hard to find all of the “stuff” they release. Before anyone has a chance to post “It’s all on the DEFCON CD dummy” I want to challenge them to try. After a weekend of googling (which came back with few results) and making contact with some of the speakers, I provide you with a mostly accurate list of “stuff” that was released at DEFCON this year. If any of the information is inaccurate, or a tool is missing, please contact me and I will update this post.
The DEFCON CD can be found here: http://edge.i-hacked.com/defcon16-cd-iso-posted
Think you are good enough? The binaries from Capture the Flag have been posted here: http://nopsr.us/ctf2008/
PE-Scambler by Nick Harbour
Packet-O-Matic by Guy Martin
SA Exploiter by Securestate
Fast-Track by Securestate
Beholder – by Nelson Murilo and Luis Eduardo
The Middler – by Jay Beale
ClientIPS – by Jay Beale
Marathon Tool – by Daniel Kachakill
The Phantom Protocol – by Magnus Brading
ModScan – by Mark Bristow
Grendel Scan – by David Byrne
iKat – interactive Kiosk Attack Tool (This site has an image as a banner that is definitely not safe for work! – You have been warned) by Paul Craig
DAVIX – by Jan P. Monsch and Raffael Marty
CollabREate – by Chris Eagle and Tim Vidas
VMware Pen-Testing Framework – by John Fitzpatrick
Dradis – by John Fitzpatrick
Squirtle – by Kurt Grutzmacher
WhiteSpace – by Kolisar
VoIPer – by nnp
Barrier – by Errata Security
Psyche – by Ponte Technologies
Posted: 22 Aug 2008 09:33 AM CDT
Reputation damage can be one of the most difficult concepts to build measurements around. In fact, it can be difficult to develop the actual metrics for the measurements, as well. Damage to things like “corporate reputation” and “goodwill” and “brand equity” can be difficult to wrap even reasonable dollar estimates around (When I use FAIR, I really only care to use one metric when describing loss magnitudes - the almighty currency).
Complicating factors is the impact (or lack thereof) of incidents on stock price. Many researchers who identify themselves with the New School of Information Security (yours truly included) want to immediately look at stock price as a bell-weather metric for incident impact. I think this stems from our days of slinging FUD, back when we could scream “Buy a firewall or we’ll have an incident and you’ll be on the front page of the paper and the stock price will go down!” But these days notable incidents seem to suggest that the impact on stock price for an incident is short lived. With qualifications, of course.
So what would/should we make of this from Money.co.uk?
£12million ($24m) Wiped off Helphire Stock after Malicious Email Sent to Clients
That last paragraph, for me, explains some of the difficulty in tying reputation damage to stock decreases. It’s like when you read the headlines from Bloomberg about why the days stocks (or commodity) prices are up or down. You know, the “Oil closes $3 higher on news that a notable South American dictator has a rather unpleasant boil in a very uncomfortable area” type of headlines. You really do have to question the causality and correlation. So in the Helphire case above - is this new drop in stock really because of the email sent? If so, should we view that $24mil number as an independent data point to describe this sort of attack on reputation, or is the magnitude aggravated due to the long-term trend of stock price?
Even when we have “Objective Data” (an in-joke for Adam S.) like this decline in stock price, it is really difficult to provide any sort of precise estimate or measurement - about the future, present or past. The best we can do is use ranges, distributions, that are reasonable based on evidence and observation.
So it’s worth filing away this sort of datum for future use - while dutifully acknowledging the qualifiers we might place around it.
So the questions I ask here - what should we make of this new information, and how should we view the $24million drop - they’re not rhetorical. I am very interested in your views and welcome your comments!
Posted: 22 Aug 2008 09:29 AM CDT
The most interesting, creative, fun and innovative people don’t run with the pack. You’re a leader because your team believes you are worth following, not because you are appointed leader. You don’t lead by giving orders, you lead by motivation. Don’t expect to generate consensus easily, and be very suspicious when it occurs other than spontaneously. ‘Who’s to blame’ is the [...]
Posted: 22 Aug 2008 09:18 AM CDT
The servers at Fedora were attacked and compromised recently. The folks at Redhat are confident that none of the Fedora packages were compromised, but I’d be cautious for a while until the whole story is known.
Posted: 22 Aug 2008 09:16 AM CDT
Paul & Larry are back in the studio!
Posted: 22 Aug 2008 09:08 AM CDT
My friend and fellow security droid Gary Hinson asked why so many corporate mission statements end up being utter gibberish, with more meanings than bits. Hmm. A ‘bit’ being, according to /usr/share/units.dat, a measure of entropy. No Gary, I think that corporate mission statements, like political party policies, are high entropy. and with a high negative correlation with [...]
Posted: 22 Aug 2008 09:00 AM CDT
No, not a Google its a Sagan! I’m sure that like me you get mails that read something like From:Mr.John Lewis Phone No: 44-702 409 9061 This is to inform you that your funds of US$15 Million has been approved for immediate delivery to you. For the purpose of clarification,you are advised to reconfirm your Full Names,Direct Telephone Numbers,Physical Address with Zip Code [...]
Posted: 22 Aug 2008 08:48 AM CDT
Posted: 22 Aug 2008 07:38 AM CDT
Starting the day off in the dentist chair. The bright side being that Friday has arrived. Have a great weekend everyone!
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
Posted: 22 Aug 2008 12:50 AM CDT
I almost think it’s time to create a new blog called “Security Stupidity”. The latest issue to catch my eye is Apple’s “it’s not a security problem because nobody noticed” declaration; Michael Arrington has pointed out that Apple has made it easy for someone to enumerate the me.com and mac.com email address range by making public folders that use the same name as the email address. I’m sure I can think of several dozen people who presented at Defcon a couple of weeks ago who could do this in a matter of hours.
Michael Arrington has this one dead to rights: the bad guys have probably already figured this one out and are taking advantage of it as you’re reading this. There’s no way to remove an account name from this list, which means that Apple has no way of fixing this information leak without a major overhaul of their systems. I didn’t sign up for a me.com address before and now I’m glad.
I hope you’re not using your me.com or mac.com addresses for anything major, because they’re about to become spam magnets. This is the real power of full disclosure: Michael Arrington tried to tell them, they didn’t do anything so he disclosed, now Apple is going to pay the consequences, along with everyone who owns one of these email accounts.
Rather than admitting they’re wrong and fixing the problem (if that’s even possible), Apple will probably continue to deny this is a problem. But once it becomes a widespread issue, they’ll probably still deny it and quietly step up their behind the scenes anti-spam efforts. And we all know how well that’ll work.
Posted: 21 Aug 2008 05:11 PM CDT
Congratulations to all of the nominees and winners of the 2008 Pwnie Awards. We had a much larger turnout for the ceremony this year and we actually had people present to accept their awards and give acceptance speeches.
In case you missed the awards, you can see the list of winners at the Pwnie Awards site. Or get yourself some fresh popcorn, a cold beer, and some nice buggy code to relax and watch the video that Alex Sotirov just uploaded today. Be sure to mock the guy with the “I 3> Pwnies” t-shirt.
Posted: 21 Aug 2008 04:25 PM CDT
The Street picked up some tips I published for people to protect themselves online. That fact got me reading the article originally, but what I want to call your attention to today is the other half of the article, which details some interesting research implying that online banks commit an awful lot of errors that enable phishing against their customer bases. States the article,
The study found that of the 214 U.S. financial institution Web sites that were analyzed, 76% of them had at least one design flaw which could compromise your financial data.
Posted: 21 Aug 2008 03:08 PM CDT
Tom has a post that just has to be read on his experiences with the support folks at Apple. He called them when the hard drive on his wife’s laptop started to fail.
Now, the best part is the rather interesting transcript of his conversation with the support person. Be sure to read the full posting.
Posted: 21 Aug 2008 12:34 PM CDT
According to this article over on BBC News, IE8 will include a "Privacy feature" while browsing. Something that has been in Apple's Safari browser for at least a couple of versions now. I mean, it's obvious they were going to copy it, as it's a great feature... but just wanted to point out the obvious right quick.
Subscribe in a reader
Posted: 21 Aug 2008 12:15 PM CDT
We are going to approach this subject very lightly as I’m sure it’s clearly copyright infringement, however Lifehacker has a great post for a website called Mygazines. (which we won’t link to for legal purposes) Basically it’s a repository of scanned magazines encompassing just about anything and everything your heart desires, minus the pr0n. [...]
|You are subscribed to email updates from Security Bloggers Network |
To stop receiving these emails, you may unsubscribe now.
|Email Delivery powered by FeedBurner|
|Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.|
|If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610|