Security Workshop

Nigerians Just Don't Know When to Quit

2010-01-13T14:46:00.005-05:00

This is an interesting piece of phishing here. My wife and I are looking for a new place to hang out hats as our lease is up for our apt. and we aren't too pleased with our current place. We look at a variety of places, including craigslist. Here's one that is really kind of strange.

I won't reveal the posting, but basically it was a house for rent in a city near us. It looked like a great deal (too great honestly), but I thought "why not, if it is on the up and up then we win". So I sent an email to the person without giving too much info:

Hello Nannette,

My wife and I are interested in the apartment that you have advertised on Craigslist (PostingID: xxx). We would like to view the house, hopefully soon (maybe this weekend). If you have time or need information from us, please reply, I'd be happy to provide anything necessary.

Looking forward to hearing from you,

Needless to say, I was hoping that revealing my email address wasn't too much. Hoping to hear from a nice old lady or something, here is the response that I got:

Hello Dear,

Thanks for the email. I own the house and also want you to know that it was due to my transfer to ( West Africa , Nigeria ) that makes us to leave the house and also want to give it out for rent and looking for a responsible person and God fearing person who can take very good care of the house in my absence.we are not after the money for the rent but want it to be clean all the time and the person that will rent it to take it as if it were its own.

So for now, I am here in West Africa and will be staying here for the next 3years in our new house and also with the keys of the house for rent, we try to look for an agent that we can give this documents and the keys before we left but could not find, and we as well do not want our house to be used any how in our absence that is why we took it along with
us.

We came over to Africa for a missionary work, so i hope you will promise us that you will take very good care of the house. So get back to me if you know you could take care of our house or perhaps experience you have in renting home.Hope you are okay with the price of $900 per month and the security Deposit is $500 and the first month rent will be $1,400.Get back to me with the rental application. You can go ahead and view the house but note that you will not ba able to view the inside of it because of security reason here is the address bellow:([redacted]).Please if you are ready now to occupy the house kindly provide the information below for record purpose

PLEASE TELL US ABOUT YOURSELF
Full Name_______________________________
Home Phone ( ) ________________________
Cell Phone ( ) ___________________
Date of Birth_____________________________
Current Address________________________
City____________State______ Zip______
Reasons for Leaving____________________________Rent $________
Are you married____________________________
How many people will be living in the house___________
Do you have a pet____________________________
Do you have a car____________________________
Occupation____________________________
Move In Date____________________________
Are you moving in with your furniture_______________
A picture of occupant _______________
How soon can you make the payment_____________
How soon do you want to receive the keys and the document______
pets allowed.

Thanks and Remain Blessed.

At least they made it sound like a nice old lady... [delete].

Now I'm regretting sending the message from my actual email address. Oh well, such is life. Here's the thing that I just don't get. Is someone really living there? Are they going to see a bunch of strangers peeking in their house? Is the house unoccupied? Does it even exist? My curiosity is making me want to go house hunting.

Blogging and twittering

2009-07-23T13:10:00.002-04:00

Hi All,

Although it may seem like I've been gone a while, I have actually been blogging elsewhere. I have been contributing regularly to blog.astaro.com. I haven't been posting here, well, because I simply don't have time for both ;o) I will see if I can repost to my blog here. Most articles are written as general commentary and tips for tech generalists that don't focus on security all day, but need to be mindful of basic security issues.

Also, I am now on twitter. Follow me @tccroninv

On a personal note, Ben is growing up way too fast. He is talking up a storm, potty training, getting really really tall and just simply being the average 20-month-old. He is the best thing ever. In the history of ever.

Going Around In Circles

2009-04-30T17:09:00.003-04:00

Let's not start that again...

As of late there has been a heated debate among the community that various forms of standards and compliance are effective/ineffective at actually securing systems and networks. Just a quick note:

First post I read today is from Ascension Risk Management. There was a point/counterpoint that was detailed that, suffice to say, leaned towards the fact that standards and compliance are not effective. In order for something resembling standards to be effective, it must be made too narrow or not actionable. This is a good argument, but it doesn't tell the whole story.

The next blog post I read is from Emergent Chaos. This post was about the fact that after Former/embattled/kind-of/not Senator Norm Coleman's campaign's infrastructure was broken into, and there may possibly have been a breach, donors found out via Wikileaks, rather than the campaign. One quote sticks out:

We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.

So within the same day, there is one school saying that standards are ineffective and there is another stating that we need more standards in order to shuffle through the varied methods people use in regards to security related tasks. What a vicious circle.

I am on the fence. I think that without standards, there are a good amount of small and medium sized businesses that would have no security or extremely lax security. Standards do help to push these organizations into doing more to protect data. On the other hand, with a competent security practitioner, these standards are simply "fill in the box" tests that people adhere to. That security practitioner is likely doing things to secure the infrastructure more than the standard accounts for.

I think standards are simply not scalable. If there must be policy, it should reflect the end result, not the means. It is better to say "you are liable for any breach that occurs" than "you are not allowed to have SSLv2 on your hosts". In this way, it should create an incentive to have network owners and operators think about how to go about security. If there's a breach, they are liable, after all.

Thoughts on Conficker

2009-04-24T21:11:00.003-04:00

well, if you can call them thoughts

Long time since my last post. There has been a lot going on in the personal aspects of my life. One of the things that I am happy about, though, is that Red Sox baseball is now in full swing. Today is the first of the infamous Red Sox/Yankees games.

So, speaking of Conficker...

Today's game is turning out to be as hyped up with no results as Conficker. Even the blogosphere is less active about Conficker Since April 1st. Admittedly, this worm is the first really widely spread worm since my intro to the technology industry. I was expecting to hear of/see infections first or secondhand, but I have not. While I'm happy the Conficker was contained in my area of the planet, It was hyped up quite a lot.

Today's game is not going so well for the hype either. Joba Chamberlain's outing was uneventful. This is similar to the April Fools Day event. Lots of hype, but no substance. In fact, Youk was walked twice - not beaned.

All of that being said, today's game will have a winner and there will be some events that are worth cheering or booing. This is like Conficker - there is substance, but it is not in the exciting, ratings grabbing manner. Daily attendants of either will find something interesting and there will be something new to learn.

Edit: This game (and the series as a whole) was actually quite exciting. Maybe the best is yet to come from Conficker...

Happy April Fools' day!

2009-04-01T22:46:00.002-04:00

Quick Update: Conficker did not display "Happy Birthday Vovo!" like I had hoped. (nor did it do much at all - but that doesn't mean it is any less troublesome).

My favorite new April Fool, the funny RFC, actually make a little bit of sense this year. In the past, it told you how to send IP in the most efficient manner to how to monitor your network properly. This year it is a way to teach IPv6 and get more IP addresses out there. It is a joke, because these addresses are not "real" but it's an interesting thought. I think I will use the analogy to explain IPv6 from now on... (I'll always give credit to rfc 5514). They actually made a facebook app :o)

Google introduced an automated you for gmail, but I liked the printed and mailed emails idea better (from a previous year).

And in case you want squeeze bacon, see ThinkGeek

My Conficker Note

2009-03-31T12:34:00.004-04:00

Sorry for not posting for a bit, my personal life has been busy lately (we moved, hopefully the last time for a long, long time.).

There has been a lot said about the Conficker (downadup, kido, april fools day worm, etc...). I can't really add anything new that hasn't already been said on the Security Bloggers Network. What I would like to say is that I hope that what it does is simply make all the infected computers say "Happy Birthday, Vovo!" because the now infamous April 1st target is my Vovo's birthday and I always for get to call. (If it does do this, I swear, I didn't make it happen...).

(Yes this is my sense of humor, and if you like it then I am your friend for life - nobody gets me :o)

"Google Hacking" made easy

2009-03-18T14:37:00.002-04:00

sort of...

A lot of people use Google to find information on a "target" or "mark". A lot of times this is either a person, organization or machine. If your mark is a person, there is now a web service that can do this easily, www.pipl.com. The New York Times outlines this with the article When Googling a Person (or Yourself) Isn't Enough.

Okay, so these services have been around and the end of the world didn't show up. This is a typical kind of piece that is important to know about, but not to lose sleep over. The information that Pipl finds is not generated by searching databases that are normally off-limits. It does dig a bit deeper than google does by default, but all the info is still public. The bigger question when you find something about yourself that you didn't expect is how did the original recipient of this information make it public and why did I not know.

I think Pipl is a good thing because it allows average people find information that nefarious people may have found anyways. Thoughts?

Really Quickly

2009-03-17T19:18:00.002-04:00

I was typing an email to my wife and noticed that MS Outlook knows that Comcast should be capitalized. I wonder what other conglomerate is large enough and to have their name be known to Outlook.

Personal Security

2009-03-04T01:40:00.003-05:00

In the "Digital Age"

I was driving home tonight and I was listening to "On Point, with Tom Ashbrook" (NPR). Today's topic was on "Cyberbullying", specifically a court case that may have far-reaching effects. Listen here.

The story starts with two Yale law students were harassed and libeled online by an internet community. This harassment and libel may have cost one or both of them job offers (by overly-sensitive prospective employers googleing them and having these nasty posts show first). There were also threats and stalking comments made (there were personal threats that made the individuals fear for their safety as the comments were made by people who had to have physically seen them).

To make matters worse, the host of these threads failed to act in a regulatory manner to take down these threads. Also, they (alegedly) deleted logs and subsequently disabled logging for users that post to threads, making it harder to find the anonymous culprits.

This last part troubles me. I believe in freedom of speech just like all Americans should. That being said, there are certain types of speech that should not be protected. When you feel threatened, you have a right to address that threat to ensure your personal safety and the safety of others. But if you don't know who is threatening you - other than the fact that it is some guy/girl with an internet connection - then what can you do? It is vital that the internet community self regulate certain content. If we, as hosts, don't self regulate then we may have to be regulated by an authority which is potentially far worse.

As a security practitioner, I feel that the failure of the host to pull the threads and put the users that caused this uproar on notice has caused there to be an open door for legislators to mandate certain restrictions on this type of content. This will make hosting less attractive for these new and exciting "Web 2.0" sites we all love (Why get involved in accounting for other people's words? Why become a legal target for lawsuits over content that someone else wrote?) . Also, security professionals will need to concern themselves with accounting for each logged in session. This detracts from the overall secuity of the site. Very bad news, indeed.

I hope this black mark can be sorted out without any far-reaching effects and I hope that hosts can learn to self regulate effectively enough to prevent any future legislation.

-Tim

Eating Ubuntu

2009-02-25T18:24:00.001-05:00

What?

That's right, there is now a restaurant called Ubuntu in Napa region of CA. Competitor Knoppix seen pulling up with a food-mobile to serve your immediate nourishment needs, but never actually constructing a building. (OK that's a horrible joke)

Mobile Devices on the LAN

2009-02-25T13:05:00.000-05:00

iPhone Hype, get your iPhone hype here!

Those handsome, intelligent and engaging folks over at Astaro Internet Security have just introduced a very easy IPSec client auto-setup for an iPhone to connect to a protected LAN. This got me thinking. There is a lot of information available on securing your iPhone and other mobile devices from intrusion, but there isn't a lot of information available about securing your LAN from intrusion from your mobile users.

The idea of using a full IPSec tunnel for all network traffic is great for iPhone security. You are no longer sending data in the clear whether it's to your corporate mail server or gmail. This should cut back on some threats at the iPhone level. Because you are also giving access to your LAN, it can also create an all new set of issues on your LAN.

A lot of security types are used to thinking about mobile devices similar to laptops. After all, they are similar: they're mobile, they can hop on and off your local (trusted) wireless link, they have remote access capabilities, etc... I posit that they are, in fact, different in a few key ways. For instance most people turn their laptops off (or at least have them sleep) when they are actively traveling. This is not the case for mobile devices. The chances of a mobile device attaching to a rogue, unsecured or malevolent access point is far greater. Therefore the exposure to all sorts of nastiness is greater. How can you trust something like that on your LAN?

I would like to suggest some ideas (In bullet point goodness):

Expect the Worst

Always assume that a mobile device is owned and treat it as such, because it will be easier to deal with when it happens

Segment Mobile Devices:

Whenever possible, limit access to the LAN. Only give access to business critical infrastructure that is in a secure place, preferably segmented from any LAN.

Set up different SSIDs, WLANS and access points specifically for mobile users when in the office.
Do not allow mobiles to communicate with laptops and other wireless devices.

Use Device Level Security

Find reputable applications that protect the mobile device from intrusion
Use VPNs when possible to ensure no data is sent in the clear. This can often have an effect on your LAN.

Make Concise and Enforceable Usage Policies

Make sure that anybody that can gain access to your network with a mobile device is subject to a strict usage policy. This can at least allow you to take action when/if an incident occurs. This policy should be different from any other current remote access policy as the concepts are different
Training is considered somewhat "controversial" as you can't ensure that people will learn from it and listen. However, it is a good start and most people will be receptive (or face your wrath).

As always I would love to hear some feedback. Let me know if anything I've said has worked successfully. Report bugs in this theory to bugtaq... (or in the comments section)

-Tim

Adobe Reader Exploit in the Wild

2009-02-20T00:22:00.000-05:00

Hi All,

Just passing this info on. I just read on The Register that fully updated and patched Adobe Reader applications running on fully patched Windows systems are vulnerable to a new exploit. The original info from the Reg. article is at Shadow Server but Adobe fully recognizes the Vulnerability here. More info from US-CERT here.

Apparently, this exploit leverages a known vulnerability in the way MS Windows XP/2003 handles URIs. Using that vulnerability, it is possible to open a trojaned pdf file and have your PC injected with arbitrary commands.

The "Fix" stated in that article is to disable Acrobat Javascript (We all have Javascript off already right???). I can assume (but have not tested) that the Firefox NoScript add-on can save you from this. Adobe, on the other hand, "strongly recommends" updating to 8.1.1 of the Adobe Acrobat (Reader) application.

Here is a quote from pdp of GNUCitizen (credited with the find)

http://www.gnucitizen.org/blog/0day-pdf-pwns-windows

I am closing the season with the following HIGH Risk vulnerability:
Adobe Acrobat/Reader PDF documents can be used to compromise your
Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in
the core of today's modern business. This and the fact that it may
take a while for Adobe to fix their closed source product, are the
reasons why I am not going to publish any POCs. You have to take my
word for it. The POCs will be released when an update is available.

Adobe's representatives can contact me from the usual place. My advise
for you is not to open any PDF files (locally or remotely). Other PDF
viewers might be vulnerable too. The issues was verified on Windows XP
SP2 with the latest Adobe Reader 8.1, although previous versions and
other setups are also affected.

A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon.

cheers

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

-Tim

SPF - Not Just for Your Skin

2009-02-18T21:58:00.000-05:00

SPF - I need 200, how 'bout you?

Anecdotally, I have seen more reports of targeted "spoofed domain" spam. This is a troubling scenario if your domain really is targeted rather than just picked up by a bot. I'll outline a rather nasty one, no names given of course.

The Idea is that you receive an email from yourself or another user on your domain. A common one is that everyone on your domain gets an email from someone claiming to be a domain admin. You may think that you need to have a pwn'd machine on your network for this to happen, but that is not the case. As long as someone knows your email domain, this attack vector is easy to produce manually as well as automatically.

The incident that was reported to me is interesting. There was a learning institution that had a user's mail account compromised. This quickly meant that the IP address and domain name were blacklisted. The admin is now stressed to begin with and is not necessarily thinking straight.

Next, the compromised account was flushed out and the un-blacklisting process started when everyone got an email from a "domain admin." The email address looked authentic to the unsuspecting users because it cam from the correct domain. This new admin asked everyone on the domain to click a link and enter their usernames and passwords or their email account would be deleted. (uh-oh) Well, another email went out from the real admin telling them not to reply no matter what. And most listened...

(we all know what the ... means)

long story short, an SPF (Sender Policy Framework) record could have saved this "spear phishing" attack from happening. SPF is basically a DNS record for your domain. It specifies the IP addresses (or hostnames) for hosts that are allowed to send for your domain. Normally, after specifying the allowed servers, it has a '-all'. the - means "not allowed", all means - well, all. This is very important.

He had a security appliance that was checking for SPF from all domains. This would also check for *his own* domain. It diligently checked SPF and allowed the message anyways. Why? If he had an SPF record, it would say that the server that sent the message was not allowed to send the message. As it turns out, his domain has an SPF record, but it didn't tell the appliance to drop the message. Instead it had '~all', which means "this is bad, but let it go anyways".

I guess auditing may have been a good thing here. It's strange how a single character can ruin an entire day or more.

-Tim

Art Imitating Life

2009-02-13T19:20:00.000-05:00

(or life imitating art?)

Above is a comic from one of my favorite geeky websites, www.xkcd.com. I like the site because there are 3 comics a week that are funny because they usually hit close to home. Just by looking at the image above, you know that the people that we are trying to keep away from our networks are in the right panel.

To be serious, miscreants don't use bleeding edge technology to target your facebook page (unless they're really bored), people with nefarious purpose will break in using the computational equivalent of a $5 dolar wrench. I like this comic because it puts so much into perspective. We need to be secure from the ubergeeks on the left, but we need to be watchful for the thugs on the right. Besides, the thugs on the right are more likely to post embarrassing things about you or your company online.

Let's take the scenario in the comic as real life. I just left my company laptop on the seat in the airport while I went to the bathroom. The two guys grabbed my laptop and noticed that a sticker on it says "property of [fortune 500 company]" -- SCORE!!! They boot it up and notice that it's encrypted. They aren't going to take it and work on the encryption at home, they're going to wait for me to leave the bathroom and coerce me to give them any password necessary.

Here's what can stop this:

Educate users that their laptop is, in essence, their livelihood. They wouldn't leave their wallet on the seat, why should they leave their laptop?
Try not to advertise the added value of a laptop. Stealing my mom's photos is less valuable than stealing my company's financial and customer data. It's one thing to say "if found return to [a discrete address(make sure when people here aren't vulnerable to social engineering] another to tell everyone that there is important data in here.
Encryption is still a good idea. It's better to know that anyone can't just get into the laptop's data if this situation arises.

Granted, this article lacks some real substance, but at least you got a chuckle from the comic ;)

-Tim

More Bad News

2009-02-06T13:18:00.000-05:00

Oh The Humanity!!

Nobody seems to be untouched by the Hindenburg economy. Right now there is so much hatch battening happening that nobody can afford to move forward. What does this mean to security practitioners (other than having to do more with even less)? It means that as attacks and attackers become more sophisticated, we as an industry, are not able to move into a good position to fight back.

Anecdotally, there are an astounding number of SMEs that have old systems and systems administrators/security folk have to put band-aids on everything from printers that are only a little broken to network security appliances that only have a small amount of vulnerability. Essentially, there are a lot of companies that offer services that are customizable by subscriptions. If you have cutbacks and now can not afford that IPS subscription, well, that's too bad - it still has to work, somehow.

This is not so much of an informational post as a post to express solidarity among the admins of the world that have to make things run extremely smoothly with nothing more than two paper clips and rubber bands. Keep it going and keep smiling.

How HTTPS/SSL Works

2009-01-15T00:34:00.000-05:00

Four Words: "Then Some Magic Happens"

It has become very clear to me recently that admins that are in charge of web clients do not fully understand the HTTPS (SSL) protocol. I was involved in one such incident recently that ended very badly due to a misunderstanding of this protocol. So, here is the HTTPS (SSL) protocol explained as plainly as I can - I hope this sheds some light on what I can not easily find on google (with a short attention span):

SSL is designed mainly for two main security tenets, Confidentiality and Authentication (Before the posts start, yes I know that the "A" in "CIA" doesn't stand for authentication). When I browse to a trusted site, I want to know that I am talking only to the person that I want to talk and that my data is not being seen by anybody else.

The way that SSL achieves this is by using trusted third parties (Certificate Authorities a.k.a CAs) and Public Key Infrastructure. I won't go into details about Public Key cryptography, but just know that if you have a public key in your possession and you use it to encrypt data, the only system that can decrypt that message is a system that possesses the private key (and vice-versa). PKI is used for authentication.

Part of the whole process is setting up encryption. Encryption is negotiated within the SSL protocol's initial handshake - at the same time as calculating authentication. Once the handshake is finished, a tunnel is created using a less computationally hungry process known as symmetric key cryptography (again, I won't go into detail, just know that once this is negotiated the traffic is now encrypted).

As you can see I have created a (rather crude) diagram of SSL with steps 1-6. This may be an over-simplification, but it is definitely a good foundation. Here's a description:

When any modern browser is installed, it is sent with several CA issuer certificates. These issuer certificates contain a public key for the issuer, among other information.

When a web designer decides to use SSL he needs to purchase a certificate that is signed using the CA's private key.

The web browser starts a connection to an HTTPS site. Along with this request the client sends all supported encryption schemes.

As a response to the browser's connection request, the Server sends a copy of the certificate from step 2. Along with this transmission is the server's answer to the encryption negotiation.

Once a certificate is downloaded, the signature of the certificate (that was signed using the CA's private key) is checked using the CA's public key (installed in the browser in step 1 - note that there is no need to use the network for this). No error is thrown if this verification checks out.

The connection succeeds, the client can now download and upload to the web site with the security of encryption.

Trust Subversion

2008-12-30T12:59:00.000-05:00

Calvin Klein Models Subvert Trust!

recently, a report went out stating that Public Key Infrastructure (PKI) is vulnerable to trust subversion. I'll spare the gory details, as they are all in the original report - but basically MD5 collisions are used to make a certificate appear as though it is signed by a trusted Certificate Authority (CA). This is a major flaw, but don't be discouraged. After all, the internet ended a while ago, remember...

Why is this Rogue CA attack important to know about?

Well, from the research that was done and the proof of concept that was demonstrated, an attacker can create a certificate for any domain. This certificate will appear to be signed by a trusted CA. Thus, you will see that the site's cert is trusted and you will never get any notification to the contrary.

Normally, a trusted CA will issue and sign a certificate and then if the browser trusts the signing CA, you will see a padlock in the GUI and you will often times see a message that lets you know that the certificate of the web site is trusted. If the CA is not trusted, you are shown a message that the certificate is not signed by a trusted party and you are given the option to leave or continue. This is PKI in a nutshell. The entire system relies on trust of the CAs and the CAs in turn provide reputable and responsible operation. This works very well, until you can subvert that trust.

What is trust subversion?
(no it's not a book about a doctor)

Any time a security measure is based on trust, an attacker has the ability to subvert that trust and use it to his advantage.

What I call "trust subversion" is any act that takes advantage of a relationship of trust between two parties. This encompasses specific spoofing attacks, masquerading, Man-in-the-middle (mitm) and other attacks. By appearing as a trusted party, an attacker can gain important leverage over a situation and can often gain confidential information (phishing/sniffing) or even infect a target computer with malware.

Real World Attack Vectors

DNS Cache Poisoning
You may be aware of the DNS cache poisoning attack that was all the rage in 2008. Well, if a user can use this type of attack to make a DNS server redirect a request for a trusted site to a rogue site and that rogue site is also signed with a rogue CA, then there is nothing that the user will be able to see under normal operating conditions to alert him (assuming the site is a good knock-off of the original and not obviously fake). This is probably the most common attack vector that will be reported.

Phishing Emails
Of course there is the ubiquitous phishing email. If you receive an email that appears to be from a bank or anywhere for that matter, DO NOT CLICK on anything (this should be ingrained into all our heads by now). You may be forwarded to an HTTPS site and think all is well, but with this attack, you can be owned.

Of course there are endless possibilities, but any way an attacker can redirect a user to a fake trusted site with a rogue cert, there lies the ability for subversion.

What should I do to prevent this?

Recommendations are in detail in the original report under "Countermeasures."

There are a few things to be aware of. First, if you are an end user, there is nothing that you can do in your normal browsing habits that will easily detect subversion. You can, however, go out of your way to inspect each certificate for subversion (details in report).

As website owners/admins, there is more that we can do, though. If you have a certificate that is hashed with the MD5 algorithm, ask your CA if they can issue you a new one signed in another algorithm (SHA-1 or SHA-2 for instance). Also, although this is not listed in the report, you can check into Extended Validation Certificates (EV Cert) - I'm not a researcher, but it stands to reason that these types of certs may prevent this type of subversion by forcing more validation checks of the certificate. I would be interested in finding out if this is indeed the case - your CA may have tested this and would be a good resource to ask.

Answering the Ws of Your Network

2008-12-22T12:33:00.000-05:00

This post is brought to you by the letter W...

Before getting started, I would like to mention that this argument uses some generalities. I still feel that it is a good starting point to figuring out what makes a Security Practitioner different than and Network or Systems Admin.

Note that a Security Practitioner in this case is more of an adviser to an admin than someone that does implementation. Once a security solution needs to be implemented, if the same person that designed the security implements the solution, then the person changes roles at that point.

The technology field is largely a problem solving field, More so than most fields. When dealing with a problem that you have to solve you will invariably have to ask one or more questions about the problem in order to formulate a solution. Most problems have several solutions and the solution that is chosen is largely dependent on the probing questions that were asked of the problem. I believe that the difference between a Security Practitioners and Systems/Network Admins happens to be the different questions that are asked. Specifically that Security Practitioners ask Who, What, When, Where and Why [the Ws] and Systems/Network Admins ask How.

Here's a scenario to hammer home my point:
You have a small office with cubicles on one floor and a network closet on the same floor. The employees have a mix of laptops and desktops and they all run various versions of Windows. You need to deploy a new File Server.

The Systems Admin would be inclined to start with "How do I install a file server and make it available to the office?" He might then think "How do I secure the file server?" The experience of being a security specialist allows the Security Practitioner to start with "Why do you need a file server - is there anything that can be done more securely?" Then, when his boss says "Just make the file server!" he will think:

"Who needs access to the file server?"
"What will be stored on the file share?"
"When will it be accessed?"
"Where will the requests be coming from?"

The answers to all of these questions have a direct impact on the solution.

Now that we know this...

You're right, this isn't exactly research, nor does it seem relevant to doing your job on a day-to-day basis. It is relevant when working in a team environment, though. Delegating jobs to people that have a certain thought process - or better, teaching people that a certain thought process is how we, as a group, like to do things - is important to make a fundamentally secure environment.

To the admins that have the responsibility of making everything works, monitoring, securing and making sure the boss has coffee, thinking about the Ws first will make a more secure environment. It may bring things into focus that just don't make sense ("Why does the support staff need write access to the financial share?").

Even to the Pen Testing argument, this is valid. Everybody seems to take a side on Pen Testing. There are especially some that think that the client does not understand the reason for Pen Testing. It may help to know the thought process of the client in this case and find a way to advise for or against it as a security issue. For instance, you do a Pen Test, then you report the results. You answer the W questions. The first question that you will be asked is "How would something exploit the vulnerabilities that you just presented?" As a security practitioner, it doesn't matter. It has been proven by someone as an attack vector, therefore it must be secured.

Even in terms of a Security Researcher, you wouldn't think "How do I leverage this bug I just found?" You would say, "I have found a bug, what happens when I do this..." You would go through a series of trial and error. If you start thinking through a scenario starting with the question how, it always ends up a dead end - unless someone already answered all the Ws.

The exception that I can think of to this line of thought is when doing incident response. Someone has already answered the Ws of your network and has already proven that. You need to find out how that exploit did its thing - that way you can work through mitigating it in the future by answering the Ws of your network.

Having a Virus is NO FUN

2008-12-19T18:05:00.000-05:00

Especially the Flu...

Recently my wife and I both came down with a bit of the flu (luckily our 12-month-old son didn't). I spent one day trying to tough it out at work and while I was there I got a call about someone who had just heard about the Microsoft IE 0-day on Dec 9. I guess it had just hit Yahoo! and had made it to this gentleman (who may not have read post #2, otherwise he'd have heard about it on the 9th). Since I was sick, I was at least happy that this admin was not going to let any computer be in my shape on his watch. On that day I wanted nothing else than to eradicate all viruses.

What's in a name...
We ran into a problem, though. I knew the threat as "THE Microsoft/IE 0-day (for right now)" and he knew the threat by what Trend Micro had caught on another admin's network. We do not use Trend Micro, so I could not use that name while searching our signatures. I looked for all different forms of Microsoft/IE that I could think of, still no dice. The other major AV vendors have similarly customized names for the same threat that I couldn't easily find. The downside to Virus Total is that you have to find an example of the vulnerability as a file or hash. This can sometimes be risky. More on this in future posts :o)

The various vendors didn't even classify the threat as the same type, some had it as phishing, some as virus some as trojan, etc... This is why I keep calling it "the threat".

Enter CVE...
Common Vulnerabilities & Exposures.

The way that we were able to track the threat is by its CVE number. CVE is basically a standardized naming convention system that is in use to track various types of threats. Major vendors and mailing lists use the CVE so that you can quickly find exactly which threat you are searching for. Once a threat is established in CVE, various groups take that and run. You can use the CVE number to cross reference various databases, from AV vendors to Internet Security watchdogs.

the CVE number for the threat in question is CVE-2008-4844. This was even published in Microsoft's security bulletin.

Now we know the name, who does what with it?

A great resource for techs that are trying to compare different AV vendors or network admins that have various AV engines in deployment is Virus Total. Virus total simply spits out which of it's systems recognized the file as malicious. Of course, the one drawback to this is that you have to trust Virus Total to give you up-to-date analysis and valid results. I do for the purpose of double checking patterns, but I would never take this over deploying an actual security solution.

You can always consult the website of your vendor as well. Most vendors, if not all, post bulletins on various threats on their sites. This is more complete than the virus total results, but can be harder to track down.

Sometimes it's ok to have a honeypot-like machine for testing. Make sure that the machine is COMPLETELY segregated from the network. Try to infect it beyond your defenses. If it makes it, assess further and find a solution to the problem. Then try again until you routinely see it defeated 100%. This is a good security stance. Just make 100% certain that this test environment is in no way in danger of infecting your production network.

Explaining Penetration Testing

2008-12-14T21:53:00.000-05:00

Pen Testing...
No, not making sure your Bic has ink.

Penetration Testing is the art of compromising someone's system(s) at their request and showing them the results in hopes that something will be done about it. There is a lot of debate about what really happens before during and especially after this test is done. Many professionals have weighed in, including Marcus Ranum (Tenable Network Security) and HD Moore (Metasploit). You can hear a great podcast about Penetration testing at Risky Business.

There are tools that a penetration tester uses to find vulnerabilities in systems (and sometimes other things, such as trash). Once a vulnerability is found, there is another step and this one is more controversial - and where the arguments lie. Once a vulnerability is found, the tester actively exploits it and provides proof that the system is "PWNED". The third step is deciding what to do with the info. If the test results get dusty, then why do this in the first place? Make sure that if you have a test done, you act to secure your systems.

I would like to weigh in.

I read an article that prompted both my last post and this post. In the article Penetration Testing: Dead in 2009 (CSO online) you will see the following:

The concept as we know it is on its death bed, waiting to die and come back as something else. That doesn't mean pen testers will suddenly be unemployed, he said. It's just that they "won't be as cool" as they've been in more recent years.
Customers are clamoring more for preventative tools than tools that simply find the weaknesses that already exist, he said. They want to prevent holes from opening in the first place.
[...]
Kevin Riggins, a senior information security analyst for a company in the Des Moines, Iowa, area, said it's hard to argue with Chess' premise that the goal should be fewer failures. But he doesn't believe that sentiment has anything to do with the need for or the use of penetration testing. Furthermore, ... production monitoring and measuring and penetration testing do not address the same issue.

Let's pick this apart a little bit.

Mentioned in the quote is Brian Chess, co-founder and chief scientist of business software assurance (BSA) vendor Fortify Software Inc. Chess' aguement appears in the first two paragraphs of the quote

I agree with Chess, but would like to revise the manner in which it is stated. Penetration testing is prudent when you have limited resources for assessment. From my official schooling as a teacher, I know that the terms testing and assessment have two very different connotations.

Testing is a pressure situation in which a "snapshot" is taken of the state of the subject being tested (what do you know about the events of The War of 1812?).
Assessment is an ongoing trend in which an assessor takes many "snapshots" into account (Do you understand the overall concepts of war in the 19th century?).
Assessors are usually people that have regular dealings with that which is being assessed and provide a better insight into the person/thing being assessed. (from this, you can also tell that I find the term "Vulnerability assessment" a bit erroneous in most cases

I agree with the Mr. Riggins except for that "he doesn't believe that sentiment has anything to do with the need for or the use of penetration testing." Following the previous paragraph, I hope that more IT personnel will realize that paying an outsider to test your environment is detrimental to the overall understanding of your environment in that it makes your staff's priority to fix holes that they are handed (an excercise that fosters automated thought rather than real critical thinking) rather than continually assess the systems for possible exposures. Just make sure your task has the training and motivation to do a great job.

If assessment is done on a regular basis, I predict that FOI will decrease and systems will be more secure overall.

-Tim

Failure of Investment

2008-12-14T20:44:00.000-05:00

Recently, a lot of attention was given to an off the cuff comment by Jack Daniel in response to a Return On Investment (ROI) conversation via Twitter - "The only viable measurement in security is failure." The reason that this comment got so much traction is that it is a new way of thinking through your security scheme.

The newest topic seems to be "Is Penetration Testing dead?" - The answer is not straightforward and may need FOI to give some much needed clarity.

First there was ROI...
Will I Make A Profit?

Return On Investment is a valuable metric to the IT industry (as well as business community) as a whole. It answers the question "If I buy this thing, will I make money in the end?"

The Idea is that if you purchase something, it should at least earn you an equal amount of money back that you spent and can probably earn you more. This should also happen in a reasonable amount of time. For example, if you need to buy a firewall, it will help to know what that firewall will be doing. You can then calculate - "If I buy a firewall for $d then in t (weeks, months or years), I will see a return on my investment and everything earned beyond t is profit" At that point, It will have paid for itself (or you can use it in reverse to say that you shouldn't buy something because the ROI is either at a loss or too slow). This makes a lot of sense when you need to make sure your boss looks good when doing the budget ;)

Then There Was TCO...
How Much Will It Cost?

Total Cost Of Ownership (TCO) came into play during the original converstation. TCO is a predictive metric that tries to take into account everything that must be spend for something to be invested upon through its life.

For instance, the firewall that my boss needs, he won't look good if I google "cheap firewall" and then tell him that the firewall will cost $100 (it's a really cheap firewall). I will need to take into account the cost of software, hardware that is not included, any monthly fees, my bonus for making him look good and ANYTHING else conceivable. This is the Total Cost of Ownership. That firewall is not making my boss look good :(

Then there was FOI...
What is lssass.exe?

Before I begin, Jack had an accessory after the fact, namely Andy, IT Guy. Andy, helped Jack by really defining FOI.

FOI is even easier to define than ROI and TCO, but harder to inject into a real life scenario. FOI is not a predictive measurement, but is a mantra that can be used to make sure you are taking due care to ensure things are working as they should.

If something is allowed to fail, then the investment was not worth it in the beginning. (What do you expect from a $100 firewall?) One of the tenets of FOI is if something does fail and funds are either spent or lost as a result, then it better not happen again.

As far a security is concerned, if I have a security device, and it fails then something is compromised, even if you haven't found it yet. We now need to find and fix what happened. This will take time, salary dollars and you may need to hire outsiders, not to mention that you may have lost some revenue by an outage or data leak already. This is where FOI kicks in.

Something has failed, my boss is angry. He says "This is bad, we are stuck in this investment thanks to you. Will it happen again?" My answer is, of course, no. It is now a much higher priority of mine to keep that firewall from failing.

This is the essense of the argument. Why was it such a low priority and allowed to fail in the first place. There are many answers that I won't get in to. Although the "it's not my fault" argument may be valid (but it won't save your job, necessarily) if the vendor failed to notify or patch an existing known vulnerability. So, vendors, watch out there.

Hope these three metrics shine some light on what to do with your IT budget and IT staff.

Tim

Use Your Resources

2008-12-05T17:10:00.000-05:00

To start off the blog, I would like to present some resources for finding great information. If you are ever stumped, a lot of times you can find what you need to get going again.

Humor...
Find all your buddies laughing at a joke that you don't get? Laugh anyways to save face, but look up what they were laughing about, there's a lot of information to be gained by doing this.

Search...
Use your favorite search engine liberally. If you have a log entry that you can't decipher, put a portion of it into a search engine. You'll be amazed at what you find. Don't be afraid to use the search engine to broaden your horizons about a variety of subjects.

Forums...
Find a forum and start searching and posting. A lot of times you'll find that someone has already gone through your current situation. If there aren't any that have, post a new thread and ask for some help! Good people will help a lot - don't get discouraged by "flamers" and "trolls"

Get linked...
Since you are reading this blog, you know that keeping up with the times is important. Here are some great resources for keeping up with current events in the technology field.

Your favorite magazine: Read CSO, Information Week, The Register? Just find a good daily and stick with it.
Read the actual standards (make sure you're awake enough) http://www.faqs.org/rfcs/. This site is also a great resource for FAQs and HOW-TOs for all kinds of subjects
Wikipedia (use with caution) - A lot of scientific/technical information on Wikipedia is accurate. Just be careful.

Get Secure...
Here are some authorities on security.
http://www.cert.org/cert/
http://csrc.nist.gov/
http://www.sans.org/

Listen in...
Podcasts are a great way to get information. Find all sorts of great audio files in various formats.
I am currently a listener of
*Security Now with Steve Gibson and Leo Laporte (TWiT network - www.grc.com/securitynow)
*Risky Business with Patrick Grey (itradio.com.au)
*PaulDotCom's podcast with Paul and Larry (www.pauldotcom.com)
(And NPR, but that's not related)

And of course, BLOGS!!

-Tim

Mission Statement

2008-12-04T22:56:00.000-05:00

The mission of this blog is to provide the technology community with lucid, easy-to-understand breakdowns of information security topics from the viewpoint of a security newcomer.

In my short time as an engineer for an internet security vendor, I have noticed that a lot of systems administrators are thrust into positions in which they did not prepare themselves or are confronted with issues that they did not anticipate. Technology is a broad industry, after all. I am creating this blog as a guide to information security concerns targeted at the "do-it-all" systems administrator that may not have had a chance to specialize in security. I hope that even the most seasoned security professional will gain a new outlook on these topics as well.

Please stay posted as this blog becomes full of useful content!

-Tim