The InfoSec Blog

Another Java bug: Disable the java setting in your browser

Posted by Anton Aylward

http://www.kb.cert.org/vuls/id/625617

Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.

Well, yes .... but.

Image representing XMind as depicted in CrunchBase

Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.

A cautionary tale about the dangers of keeping everything in the Cloud

Posted by Anton Aylward

http://www.brisbanetimes.com.au/digital-life/consumer-security/apple-cloud-burst-how-hacker-wiped-mats-life-20120806-23orv.html

"Once the hacker gained access to Honan's iCloud account, he or she
was
able to reset his password, before sending the confirmation email
to the
trash. Since Honan's Gmail is linked to his .mac email address,
the
hacker was also able to reset his Gmail password by sending a
password
recovery email to his .mac address.

Minutes later, the hacker used iCloud to wipe Honan's iPhone, iPad
and
Macbook Air remotely. Since the hacker had access to his email
accounts,
it was effortless to access Honan's other online accounts
such as Twitter."

Every new technology has people, the pioneers, who buy into the vendors hype ... and pay a price for that.

We should learn from them.

Computer Security

Enhanced by Zemanta

Tight budgets no excuse for SMBs’ poor security readiness

Posted by Anton Aylward

http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/

From the left hand doesn't know what the right hands is doing department:

Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be "hard-pressed" to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.

Well, lets leave the vested interests of security sales aside for a moment.

Security Operations Center

I read recently an article about the "IT Doesn't matter" thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don't fully utilise their resources, don't fully understand the capabilities of the technology they have, don't follow good practices (never mind good security), this is all a moot point.

Tagged as: Continue reading

Escalation

Posted by Anton Aylward

http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/

English: for use in recaptcha

At one level there's the old argument about disclosure of security holes, but this is also an example of 'driving' security improvement.

 

Enhanced by Zemanta

Why Info Sec Positions Go Unfilled

Posted by Anton Aylward

http://www.infosecleaders.com/2012/05/career-advice-tuesday-why-info-sec-position-go-unfilled/

There are many holes in this, but I think they miss some important points.

First is setting IT HR to look for Infosec.
That is because many people think InfoSec is a IT function as opposed to an organizational function. This goes in cycles: 20 years ago there was the debate: "Should Infosec report to IT?" The overall decision was no;. Infosec might need to 'pull the plug' on IT to protect the organization.

Risk management sub processes

Second there is the vast amount of technology claiming to do InfoSec.
It is all network (and hence IT) as opposed to business fulfilment. This has now spread to "Governance". You can buy governance software. What does this do for the ethical outlook of the executive, the board and management? How is Governance tied to risk management and accountability and visibility by this software?

Technology won't solve your problems when technology *is* your problem.

 

The diagram above represents a generic Risk Management approach

InfoSec is about protecting the organization's information assets: those assets can be people, processes or information.  Yes technology may support that just as technology puts a roof over your head (physical security) and somewhere to store the information.  Once this was typewriters, and hand-cranked calculators and filing cabinets, and copying was with carbon paper.  The technology may have changed but most of the fundamental principles have not.  In particular the ones to do with attitudes and people are the same now as they were 50 or 100 years ago.

 


 

Enhanced by Zemanta

How to get a job in security

Posted by Anton Aylward

http://www.wired.com/threatlevel/2012/05/airport-security-id-theft/

I often get hit on by wannabes who want to - as they put it - "break into security" and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. The most often question is about which certification they should get first in order to get a job. Some people seem to view certification as a job ticket because so many job postings have various certifications as a requirement.

What these people are forgetting is that a certification is there to certify you have the experience; you need the experience to get the certification.

If course you could always fake it; there are plenty of diploma mills and no shortage of high profile people who have faked their resumes.

But this goes one step beyond that. This person got a job in security though faking an complete ID with all the supporting documentation:

NEWARK, NJ - DECEMBER 27:  A stranded traveler...

Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.

Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.

He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.

That really inspires confidence in the system, doesn't it?

So what careful vetting and though investigation by the FBI and others uncovered this threat, a threat that could have been practised by a 'sleeper' for a terrorist organization?

Think again:

Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.

Might we suspect a disgruntled ex-lover?

Good policing that, eh? It makes you wonder how many other TSA operatives and supervisors are using fake ID or whose backgrounds and origins have not been adequately investigated.

Oh, right, there are so many of them, that level of investigation is impractical.

Didn't Bruce Schneier say something about the TSA's approach being impractical, being "Security Theatre"?

Enhanced by Zemanta

Managing Software

Posted by Anton Aylward

Last month, this question came up in a discussion forum I'm involved with:

Another challenge to which i want to get an answer to is, do developers
always need Admin rights to perform their testing? Is there not a way to
give them privilege access and yet have them get their work done. I am
afraid that if Admin rights are given, they would download software's at
the free will and introduce malicious code in the organization.

The short answer is "no".
The long answer leads to "no" in a roundabout manner.

Unless your developers are developing admin software they should not need admin rights to test it.

Social Engineering and sufficency of awareness training

Posted by Anton Aylward

Someone asked:

If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.

Security tokens from RSA Security designed as ...

Yes but as RSA demonstrated, it is a moving target.

You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the 'social engineers'. Fight psychology with psychology!

Please Realize That Piracy is a Service Problem.

Posted by Anton Aylward

http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/

NEW YORK, NY - JANUARY 18:  Protesters demonst...

NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)

The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at "service" when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.

Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.

Yes, if the media industry provided the service that customers want piracy wouldn't be an issue. As the article says, look at the economics.

It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.

There's a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn't cost them any more.

With VHS and DVD there is the cost of production, shipping and retail mark-up. There's that for every sale. And those are costs that are going up year by year. And if there's a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.

But with a 'Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.

Its as if the RIAA have it exactly backwards.

So it costs, what, lets say $20 to buy a movie as a DVD.
That's my budget. If I got to the store and found the movie I wanted was $5, then I'd be inclined to buy some more. Maybe at $5 a shot I'd spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn't have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the 'Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews ... you know how it goes, Amazon does it well.

Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.

The RIAA are not just stupid, they are extremely stupid.

A stereotypical caricature of a pirate.

A stereotypical caricature of a pirate. (Photo credit: Wikipedia)

 

Enhanced by Zemanta

The Death of Antivirus Software

Posted by Anton Aylward

http://www.infosecisland.com/blogview/19386-The-Death-of-Antivirus-Software.html

The real issue here isn't Ubuntu, or any other form of Linux.
Its that AV software doesn't work.
PERIOD.

There are over 50,000 new piece of malware developed and released daily. The very nature of the AV software models that John McAfee foisted on the industry simply can't cope.

This isn't news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.

What's that you say? Other types of AV? Like what?

Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use ... and so on.

Many people in the industry - myself included - have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.

Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor - which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.

The local signature makes things unique to each machine so there is no "master key" out there. If your private key is compromised then do what you'd do with PGP - cancel the old one, generate a new one and sign all your software with the new one.

The real problem, though, is not in having the key compromised but is the problem that has always existed - its the user. Right now, we have many remote code execution blockers. Your browser might be able to block the execution of Java or JavaScript, but does it? Most people either don't bother setting their defaults to "no execution" or just say "yes" to the pop-up asking them to permit execution.

No technical measure can overcome human frailty in this regard.

Enhanced by Zemanta

”My dog knows you don’t look like me”

Posted by Anton Aylward

http://www.zdnet.com/blog/identity/darpa-authentication-project-focuses-on-humans-as-secrets/157

So do my cats. But so what?

Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in "Minority Report".

And I'm sure there are _other_ ways to hack that than the one mentioned in the movie.

 

Enhanced by Zemanta

Doubts about “Defense in Depth”

Posted by Anton Aylward

 So to have great (subjective) protection your layered protection and controls have to be "bubbled" as opposed to linear (to slow down or impede a  direct attack).

I have doubts about "defence in depth" analogies with the military that many people in InfoSec use.

Read what they are really talking about in those military examples: its "ablation": that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2).  They try to slow down a direct and linear attack, hopefully to a standstill.

As the Blitzkrieg showed in dealing with the Maginot Line, if you "go around it" the defence isn't a lot of use.

Through the ages of war and politics and empire-hood and nation-hood and tribalism we've seen many threats and attacks and subversions used.

The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form.  What's needed is more like an all-enclosing "bubble" rather than something linear with the 'defence in depth' model.  But that gets back to the problem of the perimeter.

Many wifi enabled devices are really "spies inside the defensive perimeter".

There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them.  No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public -- its form of showing that "its doing something".

But how can we tell? The reality is that "security specialists" are finding errors - never mind deliberately malicious code - in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find "errors" that allow subversion in mainstream IT deceives like home wifi routers (aka the next generation of spambots), home PC software (that's a no-brainer isn't it!) never mind commercial databases.

I dedicate this to the memory of Ken Thompson
http://cm.bell-labs.com/who/ken/trust.html

Using ALE … inappropriately

Posted by Anton Aylward

Like many forms of presenting facts, not least of all about risk, reducing complex and multifaceted information to a single figure does a dis-service to those affected. The classical risk equation is another example of this;  summing, summing many hundreds of fluctuating variables to one figure.

Perhaps the saddest expression of this kind of approach to numerology is the stock market. We accept that the bulk of the economy is based on small companies but the stock exchanges have their "Top 100" or "Top 50" which are all large companies. Perhaps they do have an effect on the economy the same way that herd of elephants might, but the biomass of this planet is mostly made up, like our economy, of small things.

Treating big things like small things leads to another flaw in the ALE model.  (which is in turn  part of the fallacy of quantitative risk assessment)

The financial loss of internet fraud is non-trivial but not exactly bleeding us to death. Life goes on anyway and we work around it. But it adds up. Extrapolated over a couple of hundred years it would have the same financial value as a World Killer Asteroid Impact that wiped out all of human civilization. (And most of human life.)

A ridiculously dramatic example, yes, but this kind of reduction to a one-dimensional scale such as "dollar value" leads to such absurdities. Judges in court cases often put dollar values on human life. What value would you put on your child's ?

We know, based on past statistics, the probability that a US president will be assassinated. (Four in 200+ years; more if you allow for failed attempts). With that probability we can calculate the ALE and hence what the presidential guard cost should be capped at.

Right? NO!

He’s not Ian Paisley

Posted by Anton Aylward

Image of Ian Paisley cropped from Image:Ian_Pa...

Image via Wikipedia

I was at a presentation yesterday.
One of the vendor's speakers, I'm sorry to say, was a CISSP.

OK, he wasn't Ian Paisley or any other radical religious zealot.

BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company's products) and be SAVED by following the One True Faith (only buying his company's products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).

I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.

To be fair, that day's event also had some good speakers. It had some straight forward and 'humble' people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did.  All without the drama, all without the hectoring or intimidation.

Enhanced by Zemanta

Compliance? What Compliance?

Posted by Anton Aylward

United States Securities and Exchange Commission

Image via Wikipedia

Sometimes I wonder why we bother ...

The Securities and Exchange Commission doesn't just enforce the rules
that govern Wall Street. When asked, it often grants individual
companies exemptions from the rules
.

Enhanced by Zemanta

Sony backs U.S. ineffective cybersecurity legislation

Posted by Anton Aylward

Magic Link

Image via Wikipedia

http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html

"If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone," the Sony executive said.

"By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all," he said.

To people like us, IT Audit and InfoSec types, 'control' come in 3 forms

  • preventative
  • detective
  • compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Enhanced by Zemanta

A large scale failure of information security

Posted by Anton Aylward

http://www.informationweek.com/news/security/attacks/231000472

Does LulzSec's nonstop hacking campaign, and apparent success at taking
down everyone from Sony to the U.S. Senate, point to fundamental flaws
in website security? "One of the assertions made by the recent run of
high profile attacks was that all networks are vulnerable, and the
groups behind these attacks either had or could have access to many more
systems if they wish," said the SANS Technology Institute's Johannes B.
Ullrich in a blog post. "I would like to question the conclusion that
recent attacks prove that all networks are vulnerable, as well as the
successful attacks [prove] a large scale failure of information security."

I think this so misses the point.
Everybody, every site, very business, every government *is* vulnerable to something, somewhere, sometime.

I'm reminded of the IRA's statement to Margaret Thatcher:

We only need to be lucky once.
You need to be lucky every time.

Times change. New exploits are uncovered. Every patch and upgrade may - will? - introduce a new vulnerability. Changes in staff; changes in configuration and facilities. Changes, changes, changes.

If you think you can secure your system once and be done then you are, at best, fooling yourself, and more realistically acting in a socially irresponsible manner. We are forever lagging behind, and the evidence is that we are lagging further and further behind.

The fact that so many sites are vulnerable, that even PCI:DSS "certified" sites get hacked, and more, *DOES* at least _demonstrate_ "a large scale failure of information security".

Filed under: Crime, Failures, Risk No Comments

Requirements for conducting VA & PT – Take 2

Posted by Anton Aylward

Soe people ae under the mistaken impression that a Pen Test simulates a hacker's action.  We get ridiculous statements in RFPs such as:

The tests shall be conducted in a broader way like a hacker will do.

LOL! If a real hacker is doing it then its not a test :-)

Seriously: what a hacker does might involve a lot more, a lot more background research, some social engineering and other things. It might involve "borrowing" the laptop or smartphone from one of your salesmen or executives.

Further, a real hacker is not going to be polite, is not going to care about what collateral damage he does while penetrating your system, what lives he may harm in any number of ways.

And a real hacker is not going to record the results and present them in a nicely formatted Powerpoint presentation to management along with recommendations for remediation.

Requirements for conducting VA and PT tests

Posted by Anton Aylward

On one of the lists I subscribe to I saw someone make this alarming comment:

There may be better and cheaper ways, but I suspect that an outsider
walking in and gaining root on your core database is much more
convincing than an auditor pointing out the same vulns.

That is a very sad situation to be in, since it

  1. shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
  2. has no guarantees about what collateral damage the outsider had to do to gain root.
  3. says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
  4. indicates that your management doesn't understand or make use of a proper development-test-deployment life-cycle

Yes, it is more dramatic, in the same way that Hollywood movies are more dramatic.

IT AUDIT VS Risk Assessment – 2

Posted by Anton Aylward

We were discussing which should be done first and someone said:

The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.

While I understand the intent, I think that is very prejudicial language.

Donn Parker makes a very good case that we have the cultural context - read that sophistication and awareness of the baseline risks - to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don't need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.

Risk Analysis

You don't need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.

I certainly wouldn't call this approach "ad-hoc".