Skip navigation

Author Archives: hrbrmstr

Don't look at me…I do what he does — just slower. #rstats avuncular • ?Resistance Fighter • Cook • Christian • [Master] Chef des Données de Sécurité @ @rapid7

RIM of Destruction

(With apologies to Barry McGuire & P.F. Sloan)

To a familiar tune

RIM of Destruction

The mobile world, it is explodin’
executives flarin’, app updates loadin’
you’re Bold’s enough to sell but no one’s buyin’
no one believes in your PlayBook, but that’s what your totin’
and even the Curve won’t keep you a floatin’
but you tell us over and over and over again my friend,
ah you don’t believe you’re on the RIM of destruction.

Don’t you understand, what I’m trying to say?
Can’t you see the fears that I’m feeling today?
Your consumer and business customers are all running away,
There’ll be nothing to save with QNX in a grave,
take a look around you, Bidulka, it’s bound to scare ya,
and Thorsten tells us over and over and over again Boulben,
ah, he don’t believe he’s on the RIM of destruction.

BYOD’s got me so mad, my blood’s coagulatin’,
I’m tweeting here (from my iPhone), just contemplatin’,
I can’t twist the truth, it knows no regulation,
that iOS & Android are wildly propagatin’
and BB10 promises alone can’t bring integration,
when platform respect is disintegratin’,
this whole mobile world is just too frustratin’,
and you tell us over and over and over again my friend,
ah, you don’t believe you’re on the RIM of destruction.

Think of all the Samsung phones in China,
iOS is on top even in Redmond, WA!,
Ah, you may think you’re a leader in this space,
but you keep returning to that same old place,
your quarterly reports show no pride, just disgrace,
you buried your heads, and soon there won’t be a trace (of you),
copy your neighbours, who’ve all taken your place,
and you tell us over and over and over and over again my friend,
you don’t believe you’re on the RIM of destruction.
no no you don’t believe you’re on the RIM of destruction.

Honeypot Analytics

For this post (and probably a few subsequent ones), I’m taking the role of ‘Pinky” to @jayjacobs’ ‘Brain’ as I share some of my own analysis on the ssh honeypot passwords that Jay collected (you’ll need to read his VZB post before continuing). There are tons of angles for analysis and I’ve been all over the place as ideas have come & gone. I’m probably not breaking much (if any) new ground as there are a number of honeypot tools that provide #spiffy reports like this, but there may be some new insights or at the very least some starting points for folks new to the honeypot scene.

One of the first things I did with the data was to make a histogram of the password lengths the attackers used:


Some questions come up:

  • Why 6 & 8 as the most frequent?
  • What’s up with “khaled-dico-ana-wla-akhou-charmouta-tfeh-kess-ekhtak-bi-ayri-a5ou-a7beh”(the longest one), “FSDwef8529637531598273k1d123kid871kid872tralalalovedolce” and the other large passwords? Are they used in conjunction with other attack vectors (one of my posits)? Are they vanity signatures to inject into honeypots (one of Jay’s posits)

(btw: those are legit questions…if honeypot researchers know the answers, I am curious)

When looking at sources of these attacks, they seem to be concentrated in a few areas:

The brute-forcers also do not seem to rest (click for larger version):

The down days are when they honeypot was, well, down. I am curious as to what caused the surge on the 31st & the 3rd? I believe that actually maps to Fri/Mon if the source is China/Russia.

In the coming days/weeks, I’ll break down some analytics by IP address and focus a bit more on the passwords themselves.

Breach Reach : Google Insights

UPDATE: I had to remove the Google Insight widgets and replace them with static images. There was inconsistent loading far too often in non-Chrome browsers. Click on the graphs to go to the Google Insights detail pages for more interaction with the data.

Information security breaches have been the “new black” in the past eighteen months, with the latest fashion-trend being the LinkedIn passwords fiasco. This got me thinking: what is the “half-life” of a breach? It’s becoming obvious that users do not see the security of their information as a service differentiator or even a tier one decision point when choosing to use a new social network or online application. (How many of you closed out your LinkedIn accounts?) But, just how quickly does their attention wane from a breach event? Pretty quickly, if one formulates a conclusion based on Google Insights search data.

Let’s start with LinkedIn

We have a burst that – if one is generous – captures interest for about a week. Even more interesting is that it seems said interest was limited to very specific geographic regions:

Plus, the incident continues to help show the lack of impact breaches have on stock price:

But, LinkedIn is not exactly a broad-reaching service (i.e. it’s no Facebook).

Breaches Don’t Stop The Shopping

Investor exuberance notwithstanding, LinkedIn is kinda boring since folks use it to actually publish personal data to the world. While it has some private messaging and may hold some financial account information, it’s not like Zappos which has payment information and shopping history, and who was also breached this year. How long did they get attention?

While there is a longer, flat tail, attention is still about seven days (you can interact with the chart and zoom in to verify that claim) and Zappos’ overall consumer interest does not seem to have waned:

Sownage Revisited

The word “Sony” is now almost synonymous with “breach” in the minds of most information security folk. It’s our “go to” example when talking with executives and application teams. Unfortunately, for the purposes of comparative analysis, it wasn’t just one breach. So, while the chart shows closer to a ten week interest period, that makes sense when one considers there were over ten news stories (one for each new breach):

I won’t go into the details as to why including a stock price chart has little efficacy in determining breach effect for Sony (it’s been analyzed to death), but a comparative look at “PlayStation” (with an added factor for “iPad”) shows (to me) that the breaches had far less impact on interest in the PlayStation (one of the main breach targets) than the iPad had:

Breaches Spook The Spooks

So, if breaches are of little interest to the consumer, they must have greater impact on the community that has some skin in the game, right? Kinda. If we look at the RSA & Lockheed breaches:

We see that the Lockheed breach kept attention from mid-April to about mid-July (12 weeks) and RSA spiked twice for about four weeks each time. Both of them were intertwined in the news and RSA had numerous (to be blunt) PR-events that helped keep focus on both.

RSA is part of EMC, so a stock view analysis has many other complexities that make it less than ideal, but both companies (EMC & Lockheed) did not seem to suffer from the extended initial breach interest:

Only One View

I mentioned at the beginning of the post that this was intended to be a single-factor analysis, limited to what insights Google gleans from what folks are searching for. It doesn’t provide a view into enterprise contractual agreements, service usage patterns or even blogger/social media sentiment analysis. Yet, folks search for what they are interested in and when I add a few parameters to the LinkedIn chart:

we see that people are far more interested in Scarlett Johansson, gas prices and even Snookie than they are in LinkedIn insecurity. Perhaps breaches just aren’t sexy enough or personally impacting enough to truly matter…even to security professionals.

Slopegraphs in Python – Failed States Index (Part 1)

The Fund For Peace (FFP) and Foreign Policy jointly released the 2012 version of the “failed states index” (FSI). From the FFP site, the FSI:

…focuses on the indicators of risk and is based on thousands of articles and reports that are processed by our CAST Software from electronically available sources.

I read it every year (mostly due to being an ardent reader of Foreign Policy magazine) and find the rankings, methodology & insights quite intriguing. With my recent work on slopegraphs, I thought this would be a good data set to play with to determine what – if any – features were necessary to support rank order (and to provide some impetus to finally refactor the code to support multi-column slopegraphs…more on that later).

However, I was not looking forward to transcribing the data from the Flash visualization on the Foreign Policy web site. There are HTML grids on the FFP site but I really just wanted the overall rankings (i.e. no sub-indices) and noticed this interesting scrollable mini-grid on one of the FFP FSI pages:

Thankfully[?] it’s an IFRAME and I was able to pull 2010, 2011 & 2012 data in a very usable format by manipulating this URL: http://www.fundforpeace.org/global/tables/fsiindex2010_sml.htm.

After some quick transformations, I had two CSV files for a 2010-2012 comparison and a 2011-2012 comparison.

(Before continuing, I feel the need to point out that the data, methodology, etc is 100% Copyright © 2012 The Fund for Peace as they overtly point out many times on their site.)

When I threw the data into the slopegraph tool, it was immediately obvious that I was missing something important: the ability to specify sort order for the data. For most slopegraphs, the code works well since our brains expect the larger values on the top. For a rank-order slopegraph, that sort order (for the most part) should be ascending vs descending to best represent changes in rank position. It does feel odd that being “#1” in the FSI actually means you’re really a loser, but I didn’t make the rules for their index.

So, PySlopegraph now handles two column rank order slopegraphs and, as you’ll see in part two, also handles multi-column slopegraphs (but that bit needs some work). The code will be up on github in a couple days as I’ve also got some half-finished support for Processing.js and Paper.js that I want to finish before another push. If anyone needs it sooner, just @ or DM me.

Now, For The Data

The “Top 25” (that sounds way too positive for what it really means) slopegraph is the easiest to read (as it’s the smallest). It is also where Foreign Policy & FFP focus some dataviz effort as well (though they do have visualizations for all the data). Here’s the slopegraph showing the rank order chance from 2010 to 2012:

The full slopegraphs are tall slopegraphs (I’ve been prototyping some ways to make tall ones more useful, but that’s nowhere near ready for public consumption). You may just want to grab the two PDFs and look there vs in this post:

Rank Order Comparison :: 2010/2012


Rank Order Comparison :: 2011/2012

While it requires scrolling, the changes in rank are immediately noticeable as is the fact that the the FFP folk allow for ties that leave “holes” in the table. I think you really get a feel for which countries are stable, improving and declining very quickly with the slopegraph version, but I’d like to hear your thoughts if you have an opine you’d like to share.

Stay tuned for part two!

Tweet From Mountain Lion Notification Center

If this feature was in Mountain Lion Developer Previews prior to revision 4, I didn’t notice it, but you can now tweet directly from the Notification Center “pane”.

You first need to make sure said feature is enabled in System Preferences (note the use of the “old” Notification Center icon in the preference pane icon set…perhaps Apple will change that prior to the final Mountain Lion build):

If it is enabled, you now have a Twitter – er – “button” [?] in the Notification Center pane, and clicking it gives you a tweet box where you can drop your 140 from all your connected Twitter accounts.

I suspect there will be similar Facebook posting features integrated, but I’m not part of the Facebook zombie horde and have no way of testing it.

I also noticed that Chrome now has tighter integration with the Notification Center than it did before (as in, I actually saw notifications pop up from Google Mail) and both the Beta channel and Canary builds have integrated the functionality:

WEIS 2012 :: Best of the Best

Sadly, I could not make it to this year’s Workshop on the Economics of Information Security. However, the intrepid conference organizers were quick to post the papers that were presented, and I had a chance to sift through them to pick out what I believe to be the best of the best (they are all worth reading).

A Focus On The Bottom Line

First up is “Measuring the Cost of Cybercrime” by Ross Anderson, Chris Barton, Rainer B ̈ohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore & Stefan Savage. They developed an interesting framework:

which tries to cover all angles of loss (including costs of defense) as well as that of gain by the criminals. They don’t just talk theory & math. They did actual investigations and have produced a great breakdown of costs & criminal gains on page 24 of the paper (click for larger image):

Beyond the details of their methodology, I include them in this list – in part – because of this paragraph:

The straightforward conclusion to draw on the basis of the comparative figures collected in this study is that we should perhaps spend less in anticipation of computer crime (on antivirus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators.

What a great, data-backed discussion-starter at your next security conference!

Might As Well Jump

Next up is a very maths-y offering by Adrian Baldwin, Iffat Gheyas, Christos Ioannidis, David Pym & Julian Williams on “Contagion in Cybersecurity Attacks“.

If you’re put off by math symbols, jump to the bottom of page four to stat your reading (right after reading the abstract & introduction). The authors used DShield data and focused on ten services (DNS, ssh, Oracle [they got the port #’s wrong], SQL, LDAP, http/s, SMB, IMAP/S, SMTP) sampled daily for the period 1 January 2003 to 28 February 2011. You can read the paper for their particular findings in this data set, but this extract hones in on the utility of their methodology:

Security threats to data, its quality and accessibility, represent potential losses to the integrity of the operations of the organization. Security managers, in assessing the potential risks, should be interested in the relationship between the contagious threats to these different security attributes. The nature of the inter- relationship between the threats provides additional information to assist managers in making their choices of mitigating responses. For example, if the inter-relationship between threats is constant, independently of the frequency and intensity of threats, security managers can adopt smooth mitigation profiles to meet the threat. In the absence of such stable relationships, the managers’ responses must be adjusted dynamically: for given temporal relationships between the number of attacks, their change (or ‘jump’) in frequency, and their change in size (extent of impact).

I can envision some product extensions incorporating this threat analysis into their offering or even service providers such as Akamai (they have deep, active threat intel) creating a broad, anonymized “contagion” report for public consumption with private, direct (paid) offerings for their clients.

That Is The Question

Lukas Demetz & Daniel Bachlechner hope to help security managers choose investment analysis strategies in their work on “To invest or not to invest?
Assessing the economic viability of a policy and security configuration management tool“. They take eleven economic investment models and work through each of them for a selected tool/technology investment, pointing out the strengths & weaknesses of each (click for larger version of the summary table):

Unsurprisingly (at least for me), none were optimal, but this is the perfect paper for anyone who ever wanted to look at a summary/overview of the “should we invest?” work with an eye on real practicality.

Physician, Secure Thy Data

Martin S. Gaynor, Muhammad Zia Hydari & Rahul Telang aim to assess the impact of market competition on information security and privacy in their work on “Is Patient Data Better Protected in Competitive Healthcare Markets?“.

I first have to hand it to these researches for including the “WORK IN PROGRESS – PLEASE DO NOT QUOTE” tag right up front in the paper. Our industry seems to be one to jump on “facts” way to soon and this should give any infosec pundits pause.

However, (myself ignoring that previous paragraph) if the authors’ continued analysis does end up supporting their initial conclusion that increased competition is associated with a decline in the quality of patient data protection, it may show that security has an uphill battle getting into the “service differentiator” list.

The authors do take a moment to theorize as to why there seems to be an inverse relationship to competition & security:

We posit that hospitals in more competitive markets may be inclined to shift resources to more consumer visible activities from the less consumer visible activity of data protection

Is That A USB Of Patches In Your Pocket?

In “Online Promiscuity: Prophylactic Patching and the Spread of Computer Transmitted Infections“, Timothy Kelley & L. Jean Camp examine the efficacy of various aggregate patching and recovery behaviors using real world data and a plethora of interesting simulations.

If you listened to the SFS “Front Porch” conversation with @joshcorman, @armorguy & yours’ truly, you’ll know how I feel about patching, and I believe this paper help support the somewhat progressive approach to both the need for patching but also the need for intelligent patching (with the latter also requiring #spiffy incident response). The authors may say it best, tho:

We show, using our model and a real world data set, that small increases in patch rates and recovery speed are the most effective approaches to reduce system wide vulnerabilities due to unprotected computers. Our results illustrate that a public health approach may be feasible, as what is required is that a subpopulation adopt prophylactic actions rather than near-universal immunization.

What About The Green Jack?

Finally getting to the coding side of the security economics equation, Stephan Neuhaus & Bernhard Plattner look at whether software vulnerability fix rates decrease and if the time between successive fixes goes up as vulnerabilities become fewer and harder to fix in “Software Security Economics: Theory, in Practice“.

They chose Mozilla, Apache httpd and Apache Tomcat as targets of examination and did a thorough investigation of both vulnerability findings and code commits for each product using well-described and documented statistical methods (pretty graphs, too :-).

Here are the salient bits in their own words:

Our findings do not support the hypothesis that vulnerability fix rates decline. It seems as if the supply of easily fixable vulnerabilities is not running out and returns are not diminishing (yet).

and:

With this data and this analysis, we cannot confirm a Red Queen race.

Folks may not be too surprised with the former, but I suspect the latter will also be good conference debate fuel.

Law & Order : DBU (Data Breach Unit)

Sasha Romanosky, David Hoffman & Alessandro Acquisti analyzed court dockets for over 230 federal data breach lawsuits from 2000 to 2010 for their work on “Empirical Analysis of Data Breach Litigation“.

Why look at breach litigation outcomes? For starters, such analysis “can help provide firms with prescriptive guidance regarding the relative chances of being sued, and having to settle.” For insurance companies, this type of analysis can also be of help in crafting cyberinsurance policies. It can also help companies that have customer data as their primary asset/product better understand their obligations as custodians of such information.

But, you want to know what they found, so here’s the skinny:

Our results suggest that the odds of a firm being sued are 3.5 times greater when individuals suffer financial harm, but 6 times lower when the firm provides free credit monitoring. Moreover, defendants settle 30% more often when plaintiffs allege financial loss, or when faced with a certified class action suit. By providing the first comprehensive empirical analysis of data breach litigation, these findings offer insights in the debate over privacy litigation versus privacy regulation.

It’s a quick read and should be something you forward to your legal & compliance folk.

Achievement: Unlocked

On a topic close to home, Toshihiko Takemura & Ayako Komatsu investigate “Who Sometimes Violates the Rule of the Organizations?: Empirical Study on Information Security Behaviors and Awareness“.

The authors develop a behavioral model based on:

  • Attitude
  • Motivation toward the behavior
  • Information security awareness
  • Workplace environment

and use a survey-based approach to acquire their data.

The “money quote” (IMO) is this:

With regard to the information security awareness, in many cases it is
found that the higher the awareness is, the less the tendency to violate the rule is.

Get cranking on your awareness programs!

(If you made it this far and went through these or other WEIS 2012 papers, which ones were most impactful for you?)

Just Like The Federation

[@hrbrmstr starts working in javascript again]
The Internets: What do you think?
@hrbrmstr: It’s vile.
The Internets: I know. It’s so bubbly and cloying and happy.
@hrbrmstr: Just like the Federation.
The Internets: And you know what’s really frightening? If you develop with it enough, you begin to like it.
@hrbrmstr: It’s insidious.
The Internets: Just like the Federation.

(With apologies to ST:DS9)

Slopegraphs in Python – Gratuitous Raphaël Animations

UPDATE: It seems my use of <script async> optimization for Raphaël busted the inline slopegraph generation. Will work on tweaking the example posts to wait for Raphaël to load when I get some time.

So, I had to alter this to start after a user interaction. It loaded fine as a static, local page but seems to get a bit wonky embedded in a complex page. I also see some artifacts in Chrome but not in Safari. Still, not a bad foray into basic animation.

Animate Slopegraph