I've recently finished reading Freedom, the sequal to Daemon by Daniel Suarez. I made a longer post which I have yet to clean up and release, but wanted to throw out this idea. (I highly recommend that books!)
I just read a post on isc.sans.org about an SEO poisoning attack. This reminds me of all the efforts to legitimize malicious accounts, sites, and activities. For instance, want to avoid the malware-radars on Twitter? Make a ton of accounts, follow each other, and get a few dozen or hundred randomly posted tweets. You'll blend right in!
(Tiny, TINY spoiler here for Daemon, but not for Freedom. I'm really not giving anything away that will spoil the plot.)
In Daemon/Freedom, the daemon creates this new system which is based in part on reputation. As users in the daemon's system, you can vote up or vote down other users based on your interactions with them.
This still suffers from problems of gaming the system, just like we see malware attempting to do today. You get enough "people" going, and you can inflate your scores. Likewise, this breaks down when you don't have people voting based only on rational reasons and instead vote on popularity or for irrational reasons. Ashton Kutcher was the first person to 1 million followers on Twitter. Would it be appropriate for him to be the most powerful user in any legitimate system that has real world ramifications? Probably not.
by michael 03.08.10 at 4:39 PM in /general - comments(0)
Seems recently there has been a spate of incidents involving small/medium businesses where malware has opened the doors to fraudulent money withdrawals through bank web sites, or the guessing of credentials/security questions, or the tricking of customer support staff. Krebs has several articles in this topic. Rather than link around, I'm being lazy on a Friday and you'll just have to take my word that I feel like I'm seeing these stories pop up more often this month.
We're being taken for a ride through the same convenience that users are wanting. Convenient banking for mom at home is convenient banking for an attacker in Latvia who can get credentials. That, combined with the infancy of many of the authentication mechanisms for online banking, the infancy of security awareness by users (really, don't do banking from the same system you view porn), and the immaturity of the banking establishment to seemingly do much about it, makes for a volatile environment.
We have a very litigious society, one that is quick to point fingers and shift blame. But we're unfortunately all in this together. Convenience with money is not any one person's or group's fault. In the end, the end user needs to be more educated about computer security and not just throw their hands in the air and blame the bank when their browsing habits led to an issue.
(Then again, it's still everyone's fault if they were just browsing ESPN which happened to be pwned with malicious script that silently installed malware through an unpatched IE6 hole that was known about but not fixed or publicly disclosed...)
by michael 02.26.10 at 8:36 AM in /general - comments(0)
Ever wonder what Microsoft stores in their services about you, or how that might be used to aid criminal investigation? Seems an internal document has been floating around that discusses Microsoft's lobal Criminal Compliance Handbook. Some thoughts...
First, if you live in the US (or China, and others) don't be naive and think businesses can keep what you do secret, even in the face of a subpoena or government influence. Many of these services and tools (like Skype, AIM, GMail, your cell phone provider, landline phones, ISP, etc) wouldn't be allowed if there were not ways to intercept or request stored information from them to track down criminals. Simply because of that, you know they have to have some method of easy records requesting or eavesdropping capabilities (like the guy in that secret closet at AT&T!). Don't get me wrong, I'm not necessarily saying this is a bad thing; I actually do favor having that capability to use for authorized purposes. It's just really difficult to maintain that ethical level of "authorized." Lots of people were shocked to hear that Google has a web site to request subpeona materials. I wasn't shocked they have that capability, although I was a bit shocked that it was just a web portal that was apparently poorly protected.
Second, even if it's not true in practice, it's nice to read that Microsoft internally does not want to do things like record IM conversations or store your email after you've opted to delete it (or at least they don't want to provide such to authorities, but I bet that lines up with what THEY want as well). Honestly, I really wouldn't expect Google to be quite as satisfactory in this regard. It is my impression that they want to record, keep, index, and correlate as much as possible, even things you've marked or thought were deleted or not recorded.
Third, transparency should not be scary. Is this doc scary to read? Actually, no it is not. The only thing this leaves is whether all of this really is done in practice, but seeing the doc does nothing to challenge that, in and of itself. A doc that says all this, but in practice they do the opposite and save much of this information in personally-identifiable/correlatable form would be a bad thing. But otherwise, I think everything in this doc is actually somewhat reasonable.
Fourth, just to reiterate, I'd be shocked if Google could even begin to do this same thing.
Picked up from the infosecnews mailing list.
by michael 02.25.10 at 9:22 AM in /general - comments(0)
I'm just perusing a DarkReading article that talks about the just-released 2010 CWE/SANS Top 25 Most Dangerous Programming Errors and something about a software procurement security contract (link from 2009, so not sure if this is what was referenced).
Without the benefit of real dialogue/discussion on what the contract is trying to do and what it really means, my kneejerk reaction echoes what Gary McGraw was quoted saying in the DarkReading article("The liability angle is not the right idea..."). A contract is an extremely heavy-handed way to try to ensure something you can't ensure (secure). But I guess it does throw a punch to software developers where it hurts the most: money. Still, this isn't about improving security so much as shifting monetary losses. In other words, the avoidance of those punches where it hurts the most. Should vendors/developers be responsible? Yes. But I also think natural market forces are "better" for this relationship than contract wording. You got hacked through bad software? Stop using that software. You bought bad software? Maybe your procurement *process* was hurried and flawed. Shifting costs...that's all this really is.
It also has the dangerous possible side-effect of allowing software buyers to blame developers for everything, even improperly using software or nor properly following their own best practices for network security, isolation, and so on. You mean I can blame Microsoft because my Windows XP system was connected directly to the Internet without a firewall/router?
I also would be worried that we just get more violent about disagreements on what is considered a "security issue" or a "bug." Contracts bring about discussion on semantics and definitions...things that don't help anyone.
by michael 02.18.10 at 9:19 AM in /general - comments(1)
Bless his heart, I'm glad Rothman is back and blogging! I really enjoy his opinions and, quite honestly, I think we align up pretty well in our feelings and editorials. It's like having a security soulmate!
Rothman recently posted a nice opine about product reviews. Honestly, I put most of my value in products based on just 2 things. My own experiences hands-on. And experiences of others who are hands-on and not either hand-picked from the vendor or have any stake whatsoever in pimping one product (vendor "partners") or not pimping another. Basically, if I know you work as a net admin and you use product A, I'll ask how you like it and what's good/bad. And hopefully I get decent answers because if I pick up that I should hate McAfee products, can I tell my boss (and his boss) that it's because CN hates on them on Exotic Liability's podcast? I'd like I need to have some real responses, and that often only comes through hands-on with products, either myself or others I can trust.
I would love a venue for real reviews, kinda like HardOCP is to me for computer hardware. However, Mike's right, I'm not sure there is money in it. I mean, I'm certainly not going to pay for the review results, and I'm not sure these industries have enough players to be properly compared to computer hardware review sites or video game reviews in gaming mags. Most IT product reviews I read in mags and sites are met immediately with skepticism. Are these two in bed with each other? Is that a paid-for ad on page 76 for the same product you're "objectively" reviewing? Do they mention anything negative at all, or criticisms, or their competition? Hell, I even dismiss articles in Insecure when the author is the CTO...
Then again, half the beauty with HardOCP runs in line with what I value in researching a product: being able to ask questions on a forum to people who have real-world experience with said products. So maybe the real problem is finding a security-specialized community-building forum for discussing products, offtopic junk, and attacks. Yeah, I like the Security Catalyst community, but I really feel like I should be wearing a tie in there and refrain from community-building offtopic posts like, Best Super Bowl commercial. Or things you can bullshit about in IM or IRC. What if Infragard had an online forum that was protected but allowed anything you wanted to talk about without being too confusing and splintered into subforums? Then again, all it takes is a copy-and-paste and "sensitive" information is leaked. Pooh.
I'm stopping before I ramble some more... I think it's time to start idling in IRC more and participating in some nice forums...digital social networking, if you will.
by michael 02.17.10 at 2:28 PM in /general - comments(1)
Krebs has a story up about malware "destroying" 800 systems for the city of Norfolk, Virginia. Reading it drives home a few points, not all of which make me happy. I will say, it sucks bad enough to have power issues that affect lots of things, but it would suck worse to have to expediciously rebuild nearly 800 machines.
1. I'd conjecture almost every organization has a vested, financial interest in getting systems back to operation as quickly as possible. department heads, directors, managers, and the staff are all measured by that reaction. In addition, I doubt few organizations have extra staff and equipment on hand to handle any incident that effects even a fraction of their systems. This means there is often all the pressure in the organization to wipe off systems and get them back up and running, slapping hands along the way of those who stored documents improperly on their local systems. And very little pressure to preserve evidence or dig deeper in defining and scoping the malware and/or intrusion. Sad, but true.
2. "Insider" gets mentioned, and honestly, probably appropriately. But that never helps with my work, mainly because I'm an insider and an admin, and locking/auditing me can only lead to inefficiencies. Yes, I'm biased. But I get the desire, from an organizational standpoint, to prevent one rogue admin for stomping on the balls of whomever. I just don't have to entirely like it, and I prefer to say things like, "If you can't trust your admins, you need to question your hiring practices." Besides, solving issues surrounding godlike admins is a rather tough (read: costly) task.
3. As commentors on the article have said, it is nice to have data storage policies and even some controls in place, but if users want to save things to their systems, they'll find ways to do it. This dives deeply into our "gambling" sort of view to risk. Everyone has some inkling that their system hard disks are not magic and will fail eventually, but many people take the gamble and do nothing about it. This is one of those places where FUD scare tactics user education helps.
4. As always with reports like this, I'm left hungry for technical details. But I'm getting used to being unsatiated in that regard. At least I can trust what Krebs does report, and I believe he has reported all *he's* gotten, too. Likewise, it begs questions like, could endpoint security have detected this? any sort of integrity auditing? And so on...at least, those are my questions I'd love to have answered if I sat in their SOC (if they have one).
by michael 02.17.10 at 1:56 PM in /general - comments(0)
Check out this sobering reminder of just how powerful your Blackberry (or any mobile device) can be these days in a post at Veracode titled, Is Your BlackBerry App Spying On You (includes a video).
by michael 02.10.10 at 3:14 PM in /general - comments(0)
Patch Tuesday has come and gone, and I'd though I'd share a few notes about the patches this week, or rather, things that caught my eye.
ms10-003 - Office patch
ms10-004 - PowerPoint patch
ms10-005 - ms paint patch (yes, that ms paint; and how it opens jpg files)
ms10-006 - more smb client ownage (i.e. responding to a malicious smb server)
ms10-007 - shellexecuteapi (just know that this can be triggered via web browsing)
ms10-008 - your monthly set of activex killbits
ms10-009 - vista/2008 tcp/ip patches, including an anonymous remote DOS, as well as ipv6 issues
ms10-010 - hyper-v issue where guest code can affect host stability (and thus other guests)
ms10-011 - privilege escalation from local logon
ms10-012 - smb server (i.e. all Windows networked boxes) issues; including anonymous DOS
ms10-013 - malicious AVI files can r00t a box (beware your porn sites!)
ms10-014 - domain controller DOS via kerberos requests
ms10-015 - more local privilege escalations
I expect priv escalation issues (ms10-011 and ms10-015) to be tempting targets for Metasploit. Likewise, network-borne attacks against SMB I also expect to be exposed further (ms10-006 and ms10-012).
A few other attacks really should be patched on servers or you may risk insider DOS conditions in ms10-009, ms10-012, and ms10-014. Like teardrop attacks of old, these are still annoying risks, but hopefully modern networks have their risk limited via firewalls.
Opening bad websites and files is still a big deal. The Paint/JPG and AVI issues really do sound like easy exploits (ms10-005 and ms10-013). Likewise ms10-006, ms10-007, and ms10-008 can be browser-delivered. Hell, I wouldn't be surprised if some of those local priv escalations could be delivered via web code or executed "codecs" and such.
I also wouldn't be surprised if one or two of the network-borne DOS attacks could be extended to execute code. If so, that would elevate some of these risk levels.
Lastly, the holy grail of virtualization security is being able to jump from virtual guest system to the virtual host system. MS10-010 exposes an issue where code run on a guest system can affect the host system and effectively bring down all the rest of the guests. That's not nearly the same as r00ting the host, but issues like this only make people worried. So far, guest-to-host attacks have been theoretical, academic, or highly impractical, and most would prefer not to think about the implications of a guest-to-host attack or how that changes PCI/compliance scopes and hardware allocations.
by michael 02.10.10 at 1:40 PM in /general - comments(0)
This is just me organizing some notes on building a new gaming rig. The last one I built 2 years ago still works great, but I want to transition it over to be my day-to-day Ubuntu desktop, and use this new one as an excuse to dive into Windows 7. So far, I have purchased nothing, and may not even pull the trigger, but at least I know what I want for now. I already have plenty of boxes and not enough uses for them!
Budget: In the past I've been budget-conscious and always planned to upgrade parts as the years go by. I've learned that I really just don't upgrade much beyond peripherals or a few non-core pieces. Likewise, I've never really splurged on a system for myself. So this year, I'm planning on splurging with parts and pieces that should last quite some time. I'm not shying away from spending $3,000 on the system, and the parts listed below do approach that figure. Ten years ago I would scoff at such a budget, but I guess this is what happens when you get older and more fiscally responsible!
Use: First, gaming. Second, I also use this system for media ripping and burning and some pmp management (not with iTunes!!). I have no plans to rip and/or burn blu-ray media, but I think it is worth having that capability since I already want the blu-ray player option. Third, I pay bills and do banking on it. I don't install software beyond gaming, and I don't run strange media files or other files on it. Basically, I treat this system like a trusted box that I intend to do my sensitive stuff on. Since this isn't my Windows "bitch box" that gets crap loaded on it, I can both trust it more and keep games running smoothly. This is not my day-to-day desktop where I check email and ESPN and blogs. I use Ubuntu for that. I also have other systems running Windows that I can do more experimental things on including a VMWare server. Hell, this box is big enough to leverage VirtualPC and run something in it to play with...
Notes not represented in the below parts: I already have decent 2.1 speakers, headset, keyboard, mouse, a 24" monitor (2 if I wanted to use it on this system) and I KVM the input devices with my day-to-day Ubuntu box. I will also run a second liquid cooling loop that will hit, at a minimum, the graphics card.
Motherboard: ASUS P6X58D Premium LGA 1366 Intel X58 SATA 6Gb/s USB 3.0 ATX Intel Motherboard - 309.99
or
Motherboard: GIGABYTE GA-X58A-UD7 LGA 1366 Intel X58 SATA 6Gb/s USB 3.0 ATX Intel Motherboard - 349.99
or
Motherboard: ASUS P6T Deluxe V2 LGA 1366 Intel X58 ATX Intel Motherboard - 289.99
CPU: Intel Core i7-920 Bloomfield 2.66GHz 4 x 256KB L2 Cache 8MB L3 Cache LGA 1366 130W Quad-Core Processor - 288.99
Motherboard: GIGABYTE GA-P55A-UD3 LGA 1156 Intel P55 SATA 6Gb/s USB 3.0 ATX Intel Motherboard - 134.99
CPU: Intel Core i7-860 Lynnfield 2.8GHz 8MB L3 Cache LGA 1156 95W Quad-Core Processor - 279.99
CPU cooling: CORSAIR Cooling Hydro Series CWCH50-1 120mm High Performance CPU Cooler - 77.89
Case: Corsair Obsidian Series 800D CC800DW Black Aluminum / Steel ATX Full Tower Computer Case - 269.99
or
Case: COOLER MASTER CM690 II Advanced Black Steel body / Plastic + Mesh bezel ATX Mid Tower - 99.99
PSU: CORSAIR CMPSU-850HX 850W ATX12V 2.3 / EPS12V 2.91 80 PLUS SILVER Certified Modular Active PFC Power Supply - 169.99
Memory: G.SKILL Ripjaws Series 6GB (3 x 2GB) 240-Pin DDR3 SDRAM DDR3 1600 (PC3 12800) - 169.99
Memory: G.SKILL 4GB (2 x 2GB) 240-Pin DDR3 SDRAM DDR3 1333 (PC3 10666) Dual Channel Kit Desktop Memory - 106.99
Graphics: SAPPHIRE 100281SR Radeon HD 5870 (Cypress XT) 1GB 256-bit GDDR5 PCI Express 2.0 x16 - 409.99
CD-RW: LITE-ON Black 24X DVD+R 8X DVD+RW 8X DVD+R DL 22X DVD-R 6X DVD-RW SATA CD/DVD Burner - 26.99
Blu-ray: Pioneer Black 12X BD-R 2X BD-RE 16X DVD+R 5X DVD-RAM 8X BD-ROM 4MB Cache SATA Internal Blu-ray Burner - 199.99
Blu-ray: LG Black 8X BD-ROM 16X DVD-ROM 40X CD-ROM SATA Internal Combo LG Blu-ray Reader & 16X LightScribe DVD±R DVD Burner - 89.99
Soundcard: ASUS Xonar DX 7.1 Channels PCI Express x1 Interface Sound Card - 89.99
Windows OS: Windows 7 Ultimate 64-bit - 179.99
HD: OCZ Vertex Series OCZSSD2-1VTX120G 2.5" 120GB SATA II MLC Internal Solid State Drive (SSD) - 429.00
or
HD: Intel X25-M Mainstream SSDSA2M160G2R5 2.5" 160GB SATA II MLC Internal Solid State Drive (SSD) - 499.00
HDx2: Western Digital Caviar Blue WD5000AAKS 500GB 7200 RPM 16MB Cache SATA 3.0Gb - 55.99x2
HDx2: Western Digital Caviar Blue WD6400AAKS 640GB 7200 RPM 16MB Cache SATA 3.0Gb/s 3.5" Internal Hard Drive - 69.99x2
or
HDx2: SAMSUNG Spinpoint F3 HD103SJ 1TB 7200 RPM 32MB Cache SATA 3.0Gb/s 3.5" Internal Hard Drive - 89.99x2
All main parts from Newegg. Other watercooling and misc parts from FrozenCPU.
by michael 02.09.10 at 2:30 PM in /general - comments(4)
As if we didn't already have a huge war going on over the endpoint, a researcher piles onto voice encryption by tackling pre-encryption recording on the endpoint device itself. This sort of is a, "duh," in my book, as the next step would be to just record the signal as it comes in off the mic (or USB), continuing on to the extreme of listening in proximity to the speaker when they're doing business at Starbucks.
This did make me wonder whether there are laws around commercial digital voice communication software and equipment that they *must* allow the ability for a government to tap and surveil. And if so... Basically speaking, so many people feel they have this veil of security on when they use something like Skype...and I can pretty much guarantee that if its use is "ok" in China, it has backdoors or methods of eavesdropping. Hell, even companies like Google and others make money off what you do and say and search and send and browse and go...don't think it hasn't crossed my mind that Google will want to record everything you say, transcribe it automatically, and index it for ad use!
Hrm, I woke up on the paranoid side of bed...that or a Garbage song was playing on the radio when I woke up! ("I Think I'm Paranoid...")
by michael 01.29.10 at 11:28 AM in /general - comments(0)
If you didn't read Krebs when he wrote for the Washington Post for whatever reason ( I myself was a spotty reader), and you're into security, you should give him a fully new try at his new personal blog, because it's good. Consider it part of your A-list. A recent article made me sigh sadly: a bank sues a customer who was a victim of a cyber heist. None of the issues here are new, but collectively they illustrate the frustrations we face in securing a digital world while also dealing with real world culture. The comments after the article are as important as the article itself.
by michael 01.29.10 at 11:15 AM in /general - comments(0)
If someone in security isn't yet convinced it is as much an art as it is a science, I'd expect they've not done security long enough (or they've been lucky to work in a high security environment or focus solely in academic computer science).
For as much as security wants credibility and to make a difference, it dashes our efforts when someone runs into a room waving around an automated vulnerability report and demanding that every (every!) item be fixed or business will be denied. ...including such idiotic things like "hiding" http 403 errors because they give away directory presence or a single weak cipher is enabled or something else so low as to be valueless to any attacker. Or at least less value than it costs to mitigate the low issue! It hurts worse when this report-waving person is another "security" dude. To those people, way to sour everyone's grapes.
I also read a recent post on Bejtlich's blog as well as the links and comments for the post. Some great thoughts in there.
I'm convinced of a few things...
First, there are very few (if any) correct answers that work on a global or universal or even "just really large" scale. What works for one organization may not work for another, for any countless reasons. We have lots of great ideas, collectively, in security, most of which probably work. The biggest problem is inertia and getting someone to actually devote some time and resources to the cause in the first place.
Second, the only way to combat the crap being passed around is to be an expert in security (in as many veins as possible) and being able to maintain credibility to educate management. This means being pragmatic and yet effective. It means being able to talk to someone and explain why issue #87 is not the Big Deal they're running around trying to make it be, just because it appeared on an automated scan. This means not making ultimatums over useless low risk issues and actually tackling issues and initiatives that will actually have some value (even if you don't understand fully how to measure and prove that).
I really think good security geeks know in their gut when something is useful to the cause or not, even if it is hard to actually justify it every time.
by michael 01.27.10 at 8:35 AM in /general - comments(0)
Check out the 'Great PCI Security Debate of 2010' podcast pieces. Part 1 is hosted at CSOOnline. Part 2 is hosted at the Network Security Podcast. Everyone is quote-irific. Everyone has great points and I find myself agreeing with most (but not all) of what every person is saying, which itself indicates the challenges we have in security. It is not about finding the ultimate answer to the universe and everything, but rather still a very subjective view on what you'd think is a very objective discipline (IT).
Josh Corman early on had some great quotes:
"What a strange twist of fate that we now fear the auditor more than the attacker."
"We've reached a level of completely unacceptable and unsustainable cost and complexity."
And Jack Daniel:
"There are a lot of people just trying to get past [PCI]."
"Their [network admins and systems admins] goal is for the network to work and the systems to work, and that's what they're judged on. That means getting PCI out the door." <--this reminds me of the paradigm difference between security in the trenches and security in the exec rooms. It also reminds me of Rybolov's Infosec Mgmt graphic. It might also exemplify the difference in perspective between macroscopic (global/universal) and microscopic (1 network) security...
by michael 01.21.10 at 8:54 AM in /general - comments(0)
Praetorian Prefect has a video posted demonstrating the Aurora attack against IE6. It also shows how easy Metasploit is to use once you get some experience with it. While nothing new to sec geeks, I think it is mind-boggling to norms who have no idea how slickly you can own a system.
This incident centering around Google has raised tons of discussion. I really can't add too much more to what has already been said in various corners of the net, but I can at least add my own voice to the cacophony...
First, Google is a large, public company. They, like most any company, will not come out with a declaration like this without a firm economic reason to do so. I think the best response I've seen was Moxie's over on the DailyDave list.
Second, lots of people rightly diss on these companies for probably using IE6 widely. This is an easy argument (just like saying 'why are you insecure?' after someone is hacked...), but not one I tend to take too deeply because, quite honestly, it takes time and effort (i.e. MONEY!) to change things in an IT environment. Good point, but don't bandy this too hard.
Third, stop being surprised that Google has automated systems to dump your data to authorities. Don't be naive, both about Google and about economic entities.
Fourth, Google uncovered several attacks to something like 30 other large companies. Wait...does that mean all of them didn't detect the attacks? Pass the whiskey...
Fifth, defense in depth and detection helps. Having operators/analysts keeping their fingers on the pulse of networks and systems helps (or more appropriately properly augments automated tools). Signatures (and automation) do help and have their place, but nothing will be able to interpret suspicious or strange behavior like a human.
Sixth, speaking of defense in depth, we've all seen the vectors of initial attack. We've all heard rumors about just how deeply that attackers got inside their targets. But who is connecting the dots? Exactly how did owning the clients pivot over to the servers or systems? I'm not saying I don't believe those rumors, but I am saying it sounds like we still have a non-secure interior. I know security is reactionary in nature and economically-bound, but what the hell?
Sixth, attackers were originally curious and self-serving in a non-financial way. Then they realized they can make money stealing directly from accounts in a very liquid fashion, and a subset who directly utilized CPU cycles collectively. I think now we're seeing more realization that there is value in information held by corporations; on the level of corporate espionage. This is far less liquid to most people, but to nation-states or other corps... I'm not saying this is cyberwarfare! But less-liquid espionage is the next natural step...should we be surprised that Google reportedly had a team ready to attack the attackers? Shadowrun, anyone?
by michael 01.21.10 at 8:31 AM in /general - comments(0)
If you're sick of Google v. China, then skip this post. This is just me hoarding a few more links for reference.
Researchers identify command servers behind Google attack.
Google's internal spy system was Chinese hacker target (which references ComputerWorld:
This [internal spy system used to fulfill warrants] reveals that Google collects information about all of its users all of the time and in a format that enables it to easily had it over to any government agency that orders a search warrant. This is an embarrasing revelation.
by michael 01.15.10 at 10:48 AM in /general - comments(0)
I hadn't mentioned the Google/China drama because pretty much everyone else has, but new details have emerged on this topic in regards to an IE 0day exploit in the wild. Both Brian ("How-Many-Bloggers-Can-Say-They-Have-Sources?") Krebs and The H Security have good posts on it, and both link to Microsoft's new advisory on the problem.
The H Security has an interesting comment:
The advisory states that, while the hole affects versions 6, 7 and 8, the current attacks only appear to have targeted version 6 – which raises a question as to how current the affected companies' software inventory is.
Indeed. They also mention what is becoming the attack method du jour:
The attackers apparently used the flaw to inject a trojan downloader into compromised computers. The downloader then proceeded to retrieve further modules, including a back door that gave the attackers remote access to the computer, from a server via an SSL-encrypted connection. Links to the crafted web pages were likely sent in emails to selected employees of the targeted firms.
Outbound SSL-encrypted connection. Take that firewall egress filters! This gets back to how prevention eventually fails, and you're down to relying on your layers of defense to detect the issue and respond appropriately (unless you aggressively whitelist, I guess). And while we often pass off 0days as exotic and not a threat, tell that to the high-profile targets that just got hit. And we all know that once high-profile targets don't look as juicy anymore, attackers will go after their partners, vendors, providers, contractors, and smaller shops that have far less ability to prevent and detect these attacks.
by michael 01.15.10 at 9:27 AM in /general - comments(0)
Reading articles like this one from Krebs regarding a firm to release a slew of previously undisclosed vulnerabilities, stokes a few latent thoughts of mine which I've probably expressed quietly on Twitter (or even here and I don't remember it).
First, it is naive to think the only vulnerabilities that exist are those that are found and popularly disclosed.* There are people who find and sit on their vulns, and I'm not just referring to black hats or gov't espionage/cyberwarfare players who want to keep their attacks as secret as possible (or their condoned backdoors [coughskypecough]). Even white hat hackers who find a vuln and even responsibly report it may be sitting on a very important finding. Maybe they get fixed, maybe not. Hopefully it does eventually get disclosed. Who knows how many vulns a group like iDefense is sitting on!
Second, any vulnerability found and/or disclosed today, has existed since it was born either in the current version of a product, or when the underlying code was first written. This includes vulns that aren't even found yet. Tomorrow's Windows root is a Windows root that may have existed for 8 years. Kind of sobering, that thought.
Third, this is why checklist-styles of vulnerability management are usually backwards-looking; they look for things that are known. Some things like, "turn off service X when not in use," is a little different, but auditing for patches certainly is backwards-looking. I'm not saying there is no value in audits like that, but they should not be confused with the ability to say a server is secure. It just means we are patched against known issues and taken some steps to mitigate future risk...
I'd chalk the first two up in a list of "security laws" that help define an approach to digital security, right up next to other "laws" like, "You will be breached." A fundamental baseline of belief, mind you...
* Tangential discussion can break out on this topic by talking about Apple fanboys, or even the fact that Apple positions its Mac product line (OS and devices) as premium products (i.e. they don't have to price-match, among other characteristics). Is the Mac target demographic the type of demographic that wants to patch every month? Or even admit their product has a flaw?
by michael 01.12.10 at 9:33 AM in /general - comments(0)
BackTrack 4 Final is out. Thanks to the Twitter community for getting the word out (to me at least).
by michael 01.11.10 at 3:33 PM in /general - comments(0)
SecurityMonkey has a post regarding new TSA guidelines, along with a video/link demonstrating how a small explosive may be created and hidden that is probably pretty darn undetectable.
He also hits on one of the major things I've felt since 9/11: reinforce the damn cockpit doors. *What makes plane bombings so different in scope to bus, subway, or even boat bombings is the ability to take control of the vehicle to do even more damage. Therefore, protect what you can. Safety on a public plane will never be assured, although you can help minimize some obvious things like guns or stupid terrorists.
* This also does include policy and thought on what can be passed to and from the cockpit, especially on long flights on emergencies, either mechanical or medical in nature (pee breaks?), and so on. Basically, you also don't want pilots to be coerced into opening the door, or have something slipped to them (a sedative through a food tray?) that jeopardizes the operation of the plane because no one else can get in. (Then again, if you drug the pilots, the plane is probably doomed anyway...)
by michael 01.06.10 at 10:55 AM in /general - comments(0)
In case anyone missed it, Brian Krebs (just formerly from the Washington Post's Security Fix blog) has his own blog opened up that is well worth the bookmark. Krebs' blog on the Post site has long been one of the few truly useful "mainstream" outlets for security news that I keep in my RSS feeds. In reading his latest posts, I'm excited for his new venue, especially that he is his own editor now, and we don't only get the cream of the crop as far as news stories, but also the difficult-to-explain-in-a-mainstream-site issues.
In short, we need people like Krebs who can sit quite comfortably between three parties: the technical geeks, the business people who may either act as his sources or his subjects, and the people who make up the journalism entity. By that last part, I mean he knows the ropes about what he can and cannot write, has demonstrated journalistic integrity, and has contacts and knowledge of the laws and protections he may enjoy. We don't have all that many people like him in the security "blogosphere."
by michael 01.05.10 at 4:37 PM in /general - comments(0)
|
