Skip navigation

Category Archives: Information Security

Predictions? Humbug! Resolve Is Where It’s At

This is the time of year when pundits and armchair/amateur analysts make predictions for the coming year. Given that only a tiny fraction of them predicted the Sonage of 2011 (not Sony specifically or the level of pwnage) or the RSA/Lockeed [↑, ↑, ↓, ↓, ←, →, ←, →, B, A] multi-faceted “supply chain” attack (most just predicting increased “nation state” hacks) or the decimation of trust in certificate authorities (not that we really trusted them before), it is hardly worth the time reading or seriously considering any post presuming to posit what will occur in 2012 (wait…I can’t resist…and it even fits in 140: “2012 Infosec Prediction: There will be more attacks just like the one this year if not worse in scale and/or magnitude #protip“).

Instead, why not get some resolve and take charge of what will happen in the coming year? “Resolution” & “resolve” have their roots in the Latin “resolvere“, which has a host of contextual meanings. One highly appropriate one is “to find the answer or solution to“. So, rather than pontificate, here are some “resolves” for you for 2012:

  • Resolve to not buy any more products and to make serious use (beyond the typical 5% you are) of the ones you have. That may require ensuring your staff has appropriate training to automate where applicable and tweak appropriately where possible. It may also require a good amount of thinking. In most shops, the last thing needed is more tools. Figure out the best way to use the tools you have. Not only will it improve the efficacy of current investments, it will free up more capital for your business units to invest & grow.
  • Resolve to actually have meaningful dialoge with your Internal Audit department. I’ve rarely come across an auditor who is truly evil (they do exist, tho). Most want to Do The Right Thing™, but many lack the technical skillset to turn that desire into a reality. You should make it a goal in 2012 to have you and your Internal Audit department toe-tapping from the same risk dance card.
  • Resolve to join at least one cross-industry information sharing group. Even if it’s just kvetching at a local ISSA meeting, you should not underestimate the cathartic benefit of knowing you’re not alone. Joining or help to build a full-on entity like the ACSC, however, will even reap even larger dividends.
  • Resolve to understand the business model of each of your business units (if you have more than one) and find a way to get a handle on their pain points (the ones you or your IT department are causing). Go out on sales calls; shadow call centers; watch highly experienced and effective folks as they get their jobs done by working around IT & security barriers you’ve helped put in place. You’ll come back with business justifications for all sorts of things (like adaptive authentication or revamping your outdated identity & access management model)
  • Speaking of sitting… Resolve to spend three or more total business days at your IT Help Desk (great advice for non-security IT folk, too). You will first-hand observe the gaps in many of your processes (which you should then fix) and will also be able to put real faces & names to the pile of call statistics you ignore every month. I can also guarantee that you will then be spending a great deal of time revamping your incident response plan/procedures (you will see things you really won’t believe).
  • Speaking of statistics… Resolve to pick three meaningful things to start measuring and find a way to collect the data, get access to the data and publish the data (including sharing it to Internal Audit and getting it in front of senior management). A great place to start is the CIS Consensus Information Security Metrics. Your goal is to have at least one action item per month from this exercise (or pick different things to measure).
  • Resolve to kick the effectiveness of your security awareness program up a few notches. Create an internal “YouTube” service that shows real attacks from end-to-end. Make your messages personal by tying in social media awareness, safe browsing practices and patch management with messages of how to help folks keep their kids safe online or themselves safe as they do online banking. Make the learning experience engaging (just like you demand of your kids’ teachers).
  • Resolve to be the first organization of 2012 that has a sane password policy. (This one won’t be easy)
  • Resolve to expand beyond the mystical forumlae for CVSS & CWSS and create the foundation for a true risk-centric security program. If you are looking for help/guidance, this rogues’ gallery is a good place to start. WARNING: you will actually have to talk to business/finance people. (*shudder*)
  • Resolve to partner with just one development team and one Ops team and help get them rugged and visible.

Finally, resolve to do just one of the items on that list and you’ll be doing more good in 2012 than all of the prognosticators combined.

You’re The Mayor of FUDville!

Rik Ferguson, Director Security Research at Trend Micro, had a great tweet early last Tueday morning calling out potential FUD in an article over at The Metro:

Given the plethora of FUD-dropping in the article, I could only think of one way to do it justice, and that was a paragraph-by-paragraph check-in via:


Every FUD-check counts!

(it may help to have the article open in another window)

OK! we’ve got you at The Metro. You’ve been here 1 time.
  • +1 for heartstring tug (“Children”)
  • +1 for immediate FUD in headline
  • +1 for Facebook reference in headline
Nice check-in! You earned +3 points!
  • +1 for mention of Pentagon in sub-head
  • +3 for context switch from personal to national scariness
  • +1 for Facebook reference in sub-head
  • +1 for first use of “cyber”

Great mixing of FUD domains!
  • +3 for context switch to “child pornography” in main article picture caption
  • +1 for Facebook reference in caption

You’ve been to Facebook FUD 3 times! You’re the Mayor!
  • +3 for context switch back to national scariness
  • +1 for use of “cyber”
Every cyber-FUD check-in counts!
  • +2 for global scariness
  • +1 for social-media scariness
  • +3 for Facebook (you’re the Mayor!)
  • +1 for mentioning Sony attack
  • +1 for national scariness
  • +1 for mentioning Lockheed attack
  • +1 for mobile scariness
  • +1 for use of ‘bot’
Whoa! +10 points! Awesome check-in!
  • +3 for context switch back to personal scariness
  • +1 for re-mention of child pornography
  • +2 for added scariness of kidnappers

You know “they” know where they live and aren’t afraid to spread the FUD!
  • +1 for geolocation scariness

Headed in the right direction with this check in!
  • +1 for more geolocation scariness
  • +3 for Facebook (you’re the Mayor!)
  • +2 for “bedroom”

With that last check-in, you’re well on your way to becoming the Mayor of FUDville!
  • +1 for social-media scariness

Social-FUD FTW
  • +3 for Facebook (You’re the Mayor!)
  • +3 for coining ‘lifejacking’
  • +1 for mobile scariness

The Mayor is in the house!
  • +2 for Android scariness
  • +1 for “Wild West”

Artifical life-form FUD meets historic gunslinger FUD!
  • +1 for mobile/acrobatics tie-in
You’re a FUD gymnast!
  • +1 for SMS scariness
Every check-in counts!
  • +3 for Anonymous reference
  • +3 for LulzSec reference
  • +3 for context switch back to national scariness
Good use of “cyber-vigilante” FUD!
  • +1 for Lockheed reference

Defense FUD FTW!
  • +1 for “cyber”
  • +1 for “cyber”
  • +1 for “cyber” (You’re the Mayor!)
  • +3 for “cyber”

You’ve earned the Cyber-FUD Badge!
  • +3 for “cyber” (You’re the Mayor!)
  • +10 for nuclear scariness
  • +10 for “scary”
FUD is scary
  • +10 for context switch to global “Olympic” scariness

Congratulations! You scored over 100 points! You’re the mayor of FUD-ville!
(Done with homage to @shpantzer‘s SCSOVLF.)

DNSChanger Detector

The FBI made a tool to help you determine if you were a victim of the DNSChanger malware.

If you’re like many casual Internet users, you have no idea how to get the information to plug into the input box.

Unfortunately, the security model of most modern browsers makes it impossible to easily retrieve this information. However, it is possible to grab the DNS entries if the user is willing to trust the requesting source.

To help make it easier to determine if you’re infected, I wrote DNSChanger Detector. It’s a small Java applet that requires the user to allow it to have privileged access to the DNS entries via a call to sun.net.dns.ResolverConfiguration to get the nameservers. Once it has them, there is some jQuery glue in place to let Javascript access the results.

I understand why the FBI didn’t attempt to go this route, but it will hopefully be useful to folks who don’t wish to walk their friends and family through the process.

Why Didn’t They Just…?

A while back I was engaged in a conversation on Twitter with @diami03 & @chriseng regarding (what I felt was) the need for someone to provide the perspective from within a medium-to-large enterprise, especially when there are so many folks in infosec who are fond of saying “why didn’t they just…?” in response to events like the Sony attack or the compromise of the senate.gov web servers.

Between consulting and full-time employment I’ve been in over 20 enterprises ranging from manufacturing to health care to global finance. Some of these shops built their own software, others used/customized COTS. Some have outsourced (to various degrees) IT operations and others were determined to keep all activity in-house. Each of them has had challenges in what many would say should be “easy” activities, such as patching, vulnerability management or ensuring teams were using good coding practices.

It’s pretty easy for a solitary penetration tester or industry pundit to lay down some snark and mock large companies for how they manage their environments. It’s quite another experience to try to manage risk across tens (or hundreds) of thousands of employees/contractors and an equal (or larger) number of workstations, combined with thousands of servers and applications plus hundreds (or thousands) of suppliers/partners.

While I would not attempt to defend all enterprise inadequacies, I will cherry-pick some of the top snarks & off-hand statements for this series and try to explain the difficulties an enterprise might have along with some suggestions on how to overcome them.

If you have a “why didn’t they just…?” you’d like answered drop me a note on Twitter or in the comments.

Mid/Northern New England Tweetup

Eventbrite site: http://www.eventbrite.com/s/5cnV

It’s at Fort Foster. We thought about it a bit late in the season so no pavillion, but I’ll be there wicked-early and have a gazebo-like covering setup over some tables. I highly suggest bringing folding chairs. There is a nominal entrance fee (cash). Link to Fort Foster is in the Eventbrite page.

I’ll have signs up showing where we’re setup.

Right now (08-16) there are over 30 ppl (including family members) signed up!

I’m making a boatload of pulled bbq (still not decided on chicken or pork) for everyone. It’s potluck, so bring as much or little as you like. I’ll work on a massive bucket of drinks as well (tis busy week here, unfortunately) and will no doubt have spare plates & napkins.

We setup a google spreadsheet if you want to wish to post what you plan to share (if anything…no worries).

I updated the eventbrite posting with my google voice # if you need to reach me by phone for any reason.

Fort Foster has a beach area, scuba diving area, can handle kayaks and has a nice (but smallish) set of hiking trails. There are also grills if you plan on bringing raw items to cook.

If you have any questions, do not hesitate to ask!

Oh, yeah, it will come as a complete surprise, but I’ll have the “shield” on so you can recognize me :-)

Your New Mega Security Program

Everyone who can read this blog should remember the Deepwater Horizon spill that occurred in the Spring of 2010; huge loss of life (any loss is huge from my persective) and still unknown impact to the environment. This event was a wake-up call to BP execs and other companies in that industry sector.

You should all also remember the “Sonage” of this Spring where Sony lost millions of records across 12+ web site breaches and should have been a wake-up call to almost every sector.

BP committed to developing and implmenting a new Safety & Operational Risk (S&OR) program (which is now active). Sony is planning on hiring a CISO and has started hiring security folk, but they really need to develop a comprehensive Security & Operational Information Risk Program (and I suspect your org does as well).

What can we in the info risk world glean (steal) from BP’s plan and new S&OR Organization? Well, to adapt their charter, a new S&OIR program charter might be:

<ul><li>Strengthen & clarify requirements for secure, compliant and reliable computing & networking operations</li>
  • Have an appropriately staffed department of specialists that are integrated with the business
  • Provide deep technical expertise to the company’s operating business
  • Intervenes where needed to stop operations and bring about corrective actions
  • Provides checks & balances independent of business & IT
  • Strengthens mandatory security & compliance standards & processes (including operational risk management)
  • Provide an independent view of operational risk
  • Assess and enhance the competency of its workforce in matters related to information security

    • BP claims success form their current program (the link above has examples), and imagine – just imagine – if you your org required – yes, required – that new systems & applications conform to core, reasonable standards.

    In their annual report, BP fully acknowledged that risks inherent in its operations include a number of hazards that, “although many may have a low probability of occurrence, they can have extremely serious consequences if they do occur, such as the Gulf of Mexico incident.”. Imagine – just imagine – if you could get your org to think the same way about information risk (you have plenty of examples to work from).

    BP did not remove responsibility for managing operational risk and operational delivery from the business lines, but they integrated risk analysts into those teams and gave them the authority to intervene when necessary. It took a disaster to forge this new plan. You don’t need to wait for a disaster in your org to begin socializing this type of change.

    Imagine…just, imagine…

    What Can We Learn From The @lulzsec senate.gov Hack Dump?

    What can the @lulzsec senate.gov dump tell us about how the admins maintained their system/site?

    [code light=”true”]SunOS a-ess-wwwi 5.10 Generic_139555-08 sun4u sparc SUNW,SPARC-Enterprise[/code]

    means they haven’t kept up with OS patches. [-1 patch management]

    [code light=”true”]celerra:/wwwdata 985G 609G 376G 62% /net/celerra/wwwdata[/code]

    tells us they use EMC NAS kit for web content.

    The ‘last‘ dump shows they were good about using normal logins and (probably) ‘sudo‘, and used ‘root‘ only on the console. [+1 privileged id usage]

    They didn’t show the running apache version (just the config file…I guess I could have tried to profile that to figure out a range of version numbers). There’s decent likelihood that it was not at the latest patch version (based on not patching the OS) or major vendor version.

    [code light=”true”]Alias /CFIDE /WEBAPPS/Apache/htdocs/CFIDE
    Alias /coldfusion /WEBAPPS/Apache/htdocs/coldfusion
    LoadModule jrun_module /WEBAPPS/coldfusionmx8/runtime/lib/wsconfig/1/mod_jrun22.so
    JRunConfig Bootstrap 127.0.0.1:51800[/code]

    Those and other entries says they are running Cold Fusion, an Adobe web application server/framework, on the same system. The “mx8” suggests an out of date, insecure version. [-1 layered product lifecycle management]

    [code light=”true”] SSLEngine on
    SSLCertificateFile /home/Apache/bin/senate.gov.crt
    SSLCertificateKeyFile /home/Apache/bin/senate.gov.key
    SSLCACertificateFile /home/Apache/bin/sslintermediate.crt[/code]

    (along with the file system listing) suggests the @lulzsec folks have everything they need to host fake SSL web sites impersonating senate.gov.

    Sadly,

    [code light=”true”]LoadModule security_module modules/mod_security.so

    <IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log suspicious requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log

# Debug level set to a minimum
SecFilterDebugLog logs/modsec_debug_log    
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction &quot;deny,log,status:500&quot;

    </IfModule>[/code]

    shows they had a built-in WAF available, but either did not configure it well enough or did not view the logs from it. [-10 checkbox compliance vs security]

    [code light=”true”]-rw-r–r– 1 cfmx 102 590654 Feb 3 2006 66_00064d.jpg[/code]

    (many entries with ‘102’ instead of a group name) shows they did not do identity & access management configurations well. [-1 IDM]

    The apache config file discloses pseudo-trusted IP addresses & hosts (and we can assume @lulzsec has the passwords as well).

    As I tweeted in the wee hours of the morning, this was a failure on many levels since they did not:

    • Develop & use secure configuration of their servers & layered products + web applications
    • Patch their operating systems
    • Patch their layered products

    They did have a WAF, but it wasn’t configured well and they did not look at the WAF logs or – again, most likely – any system logs. This may have been a case where those “white noise port scans” everyone ignores was probably the intelligence probe that helped bring this box down.

    Is this a terrible breach of government security? No. It’s a public web server with public data. They may have gotten to a firewalled zone, but it’s pretty much a given that no sensitive systems were on that same segment. This is just an embarrassment with a bit of extra badness in that the miscreants have SSL certs. It does show just how important it is to make sure server admins maintain systems well (note, I did not say security admins) and that application teams keep current, too. It also shows that we should be looking at all that log content we collect.

    This wasn’t the first @lulzsec hack and it will not be the last. They are providing a good reminder to organizations to take their external network presence seriously.

    WEIS 2011 :: Session 2 :: Identity :: Negative Information Looms Longer Than Positive Information

    Laura Brandimarte
    Alessandro Acquisti
    Joachin Vosgerau

    Twitter transcript

    #weis2011 How does information related to past events and retrieved today get discounted? Why does neg valence receive more weight?

    #weis2011 how do we improve trustworthyness?

    #weis2011 "designers of modern tech do not understand human fallibility and design systems w/o taking them into account" < true #weis2011 the reason why bad sticks better than good is that they way it gets discounted may be different. #weis2011 experiments were survey based & randomized. all were students < not sure that's random enough or broad enough selection #weis2011 (me) I hope they make the slides avail. ton of good info I just can't capture (and I don't have an e-copy) #weis2011 "good" information only matters if it's _recent_. "bad" information is not discounted at all. it "sticks" < huge e-implications