[SecurityRatty] tag: fairly

Rational Risk Management, Angry Italians, and Irrational Security Analysts

Mon, 17 Nov 2008 13:43:15 +0000

Hope you all had a great weekend. I had meant to point you earlier to a FAIR analysis that Chris Hayes did over at his Blog. But I’ve been a little busy, and before I could mention it, Stuart King put up a kind of angry response on his ComputerWorld blog. Snark aside, there are a couple of other really troubling aspects of Stuart’s reaction to Chris’ analysis that I thought we could talk about this morning.

The problem is that (Chris’ analysis is) completely impractical. I’ll take a recent, and fairly typical situation as an example. I was taking issue with the manner in which remote access was being provisioned for a third party vendor to connect to a system hosted by one of our European business units. To cut a long story short, it was not only a breach of policy but highly insecure. I wanted the access to be disconnected, the business unit director wanted my risk assessment. And he didn’t want to wait for it.

To quote Chris Hayes, spending time on working out the expected effectiveness of controls, over a given timeframe, as measured against a baseline level of force was not going to pacify an angry Italian fearful that my decision was going to cost him money. He wanted my explanation of the risk and more importantly, what I was going to offer as a solution to keep his business functioning

As Chris is someone who actually does this for a living in a large company, and this is typical of his actual day job, I really find Stuart’s “impractical” comment to be, um, misinformed.

Also, I think Stuart mistakes the purpose of a risk analysis. The purpose of the risk analysis is not to force someone to be “secure”, but to provide knowledge for decision making. Using it as a “hammer” to knock in the nail of your personal risk tolerance impairs efficiency and in the long run retards “security” as it creates political resentment. Seriously, who cares if something might violate policy or not in a pre-implementation discussion? Policies are not stone tablets handed down from on high, they are state-in-time codification of the data owners risk tolerance. This risk tolerance changes sometimes, and that’s OK.

To that extent, I appreciate (and I’m sure Chris does, as well) that risk analysis does not create rationality in the data owner. Someone who sees you as a speedbump on the route to progress they may not be ready to appreciate your point of view even if it is stated in the most rational manner possible. But it’s worth noting (and Stuart’s example is indicative of this point) that risk analysis does not create rationality in the analyst, either. If one is being so “security minded” as to ignore the risk tolerance of the business owner - we’re bound to get a reaction similar to that Stuart encountered. In fact, a practical risk analysis like Chris performed on his blog, done in 30 minutes, should identify the critical point of disagreement between Stuart and the data owner (again, Stuart doesn’t own the data, the agitated Italian does).

But let’s stay rational and open to alternatives to what Chris offers. Stuart states his approach to risk analysis as:

When I need to document a risk assessment I use a very simple form: list the threats, state the level of vulnerability, list the associated operational costs and potential revenue hits. High, medium, or low risk? Describe the controls and options. Write up who needs to do what, and how much of their time it’s going to take. Job done.

At first glance, I don’t think what Chris has done is any less efficient, and it provides greater insight (using Frequency and Capability instead of just ‘listing the threats’). But what is key here is that Chris’ approach is consistent and defensible. Less generous risk geeks and CSO’s I know would have no little difficulty with Stuart’s approach. But to particularly answer Stuart’s main objection (impracticality) I would offer that with practice, Chris’ work is probably quicker and easier than Stuart’s described process as it eliminates much of the ambiguity an immature risk analysis creates - reducing the need for further discussion and arguments with data owners (regardless of disposition or nationality).

Finally the irony of Stuart’s post is that the reason he had this confrontation may in fact be because he was incapable of bringing a salient model for risk to the table, one that identified the factors that create risk and developed a defensible belief statement concerning risk. We’ll never know if one would have helped him in this isolated instance, but I can tell you that in organizations like Chris’, good risk models and strong risk anlayses create operational efficiencies, reduce costs, and streamlines intra-departmental communications.

They didn't go away you know....

Fri, 14 Nov 2008 03:02:00 +0000

Listening to a discussion on CNN the day after President elect Obama won the U.S. Presidential race, made me think about what the terrorists may be thinking.

It really is fairly easy for the average citizen to push these thoughts out of their mind, but we should always keep it somewhere in our minds - close enough to recall it when necessary.

Bill Clinton was "tested" early in his Presidency as was the U.K.'s new Prime Minister - Gordon Brown. In PM Brown's case it came 72 hours after the Election in Britain. How long may we wait to see something here..or overseas, but definitely aimed at inflciting U.S. casualties?

Bottom line - we should always remian alert and open to the idea that something could happen and we can not afford to drop our guard and think "they have gone". Terrorists have great amounts of patience. They conduct surveillance right under the noses of their intended victims. As the old saying goes; "we have to be successful every single time - they only have to be lucky once".

Weve reached the application security tipping point

Tue, 04 Nov 2008 16:06:02 +0000

It’s been a long road since the early 90’s when people first started public sharing of vulnerability information. Back then there were flat LANs, no network filters, and world writeable NFS mounts hanging out on the internet. But with the spread of vulnerability information it all started to change. The first major shift in exploit targets was the move from network vulnerabilities to system vulnerabilities. As organizations got better at firewalling, using switch technology and encryption, attackers started exploiting misconfigured hosts. The major second shift to operating system code level vulnerabilities came when OS vendors started locking down their systems out of the box and users started to get better at managing security configurations. Now we are in the midst of the third major shift. OS vendors such as Microsoft and Linux have scrubbed out most of the defects in the OS code. Microsoft Windows went over a year without a remote unauthenticated “wormable” vulnerability. Attackers have moved on to applications.

No longer are OS vendors and other large infrastructure technology providers the main source of vulnerabilities. It’s the thousands of applications, produced by thousands of software vendors, that make up this huge 3rd wave. ISS reported that in 2007 that the top five sources of vulnerabilities: Microsoft, Apple, Oracle, IBM, and Cisco, had dropped to supplying us with only 13.6% of our vulnerabilities. 86.4% came from the other thousands of software vendors that supply our computers with a seemingly unending supply of vulnerabilities for attackers to exploit.

In a recent report Microsoft has congratulated itself on doing a good job securing Windows. And by all accounts they have done a good job. But then they state this:

“Unless software development practices change throughout the industry, any improvements in the security of Windows would be meaningless.”

Whoa. Millions of dollars spent on securing the most prevalent piece of software and it could be meaningless? Yes, it’s true. Since attackers typically only need one vulnerability, if it isn’t in the network, and it isn’t in the host configuration, and it isn’t in the OS, they will happily exploit a vulnerability in an application.

At every shift of exploit target the problem has gotten more difficult to solve. Networks had choke points and could be centrally managed. It took a while but eventually host configurations became centrally managed and automated tools could scan configurations. Although OSes were huge and complex beasts with 10’s of millions of lines of code, with enough effort, their vulnerabilities have been largely tamed as Microsoft’s Windows and the Linux kernel track record shows. This was a very substantial, over five year effort, which used some of the most talented security people anywhere.
But now what to do? Instead of a few OSes we now have thousands of applications with vulnerabilities. As Microsoft found out, the attackers don’t go away, they just move on to the next incrementally less juicy vulnerability. In the world of exploits that typically means the vulnerability with the next smallest target population.

Attackers have started with the common client applications that can be found on almost every machine: Acrobat, Flash, RealPlayer, Quicktime, popular antivirus software. And they will continue down the popularity slope until they get to application populations down in the thousands which is getting to fairly small software vendors. Attackers can do this because they can bundle many vulnerabilities together, exploiting the statistical fact that you must have some vulnerable software installed. Compromised web sites have been found attacking visitors with over ten client side exploits preying on multiple versions of vulnerable client software.

The solution to this problem is all software must be written securely, not just the software from the big guys. Small vendors think they aren’t a target just like home users used to think they weren’t a target. People thought, “Why would someone want to attack my home computer?” Then they realized they did home banking, or had a fast internet connection that could be used for DDoS attacks or sending spam. All software vendors need to get the same wakeup call. Attackers don’t want to find a vulnerability in your software to make you look bad. They want any vulnerability. If the population of your software is small they will just bundle your vulnerability together with others in an exploit pack. The days of the average software vendor not having to worry about application security are officially over.

Microsoft Begins the MS08-067 Post-Mortem

Mon, 03 Nov 2008 10:41:51 +0000

It's finger-pointing time. Who let the infamous MS08-067 RPC bug through? Did the vaunted Microsoft Security Development Lifecycle fail? Did people approve the code when they shouldn't have? Microsoft has already begun examining these questions in an entry on the SDL blog. The problem, the blog seems to conclude, is the complexity of the code. It's just really hard to find bugs of this nature. To have found it would have been lucky. Michael Howard, the SDL guru and blogger, isn't really pointing fingers, although commenters on the blog are. It's a prime example of what I wrote about not long ago when I said buffer overflows would never go away. The examples we all see of what overflows are and how to stop them are fairly simple things: Allocate a buffer of size b, read 2*b bytes into it. In this case, there were two problems making the problem significantly more complex: The overflow happens inside a loop, during which pointer arithmetic is done. This alone makes it harder to identify for humans to identify the bug and perhaps impossible for tools to identify it without incurring a large incidence of false positives. Stack-checking also failed in this instance. Howard called the code in question "reasonably complex" and said at a later date he would publish source code from the function. He said Microsoft's automated tools wouldn't find this bug in this type of code. Some comments on the blog asked him whether this complexity is, in and of itself, a problem. Perhaps manual code reviews should have rejected it. Howard didn't go this far, but I sense, in between the lines, that maybe he feels the same. As a programmer I've seen this sort of code plenty of times and written it myself. The code may have seemed particularly efficient or just plain cool to the programmer, but complex loops with pointer arithmetic sound inherently like asking for trouble. I've written before that Microsoft has a long-term way of writing for the next generation of hardware, and CPU processing power is becoming absurdly cheap. Perhaps an implementation that is slower than necessary, but clear in its operation, is the better choice. Then leave the optimizing to compilers. It's actually an old argument. Another thing Howard remarks on is the failure of Microsoft's fuzzing tools in this instance. All he says is they didn't find it and they'll work on that, and they are always working on their fuzzing tools. Fuzzing is cool and this episode shows how there's always more work to do in it. Aviram on the SecuriTeam blog relates how over two years ago famous researcher Dave Aitel said his fuzzer found no more bugs in the MS RPC code, so there must not be any. This was probably tongue-in-cheek, but even so, Aitel's probably biting his tongue now. Even though many levels of tools and procedures put in place to prevent such vulnerabilities failed to do so, it would be a mistake to say the system failed altogether. This vulnerability, just about the worst class of bug we ever get, comes with significant mitigating factors, and is probably, as a practical matter, not exploitable on Windows Vista and Server 2008. Not everything failed.

Frustration with PGP-9.6 and networking

Mon, 20 Oct 2008 13:44:00 +0000

So, I recently upgraded from PGp-8.1 to PGp-9.6 and I thought I'd share a bit of the frustration.

I was running what I believe to be a fairly standard configuration.

Corporate desktop image
Outlook 2003
Symantec AV
PGP-8.1

I decided to upgrade my Outlook to 2007. Turns out that PGP-8.1 isn't compatible with Outlook 2003, so I needed upgrade.

Install PGP-9.6
reboot twice per instructions
Find that my networking completely doesn't work.

Turns out that in order to get PGP-9.6 working with things like Symantec's AV that hook the network stack you need to back out PGP's POP/IMAP network stack hooking.

regsvr32 /u PGPfsshl.dll
Run a Registry merge on c:\WINDOWS\system32\PGPlspRollback.reg
Reboot

Then of course, if you should happen to upgrade PGP to 9.9 because the update is out, you get to repeat all of those last few steps again.

This process of course is made a lot easier if you happen to have another machine with network connectivity, otherwise you're kind of SOL.

Just my bit of unfun for the afternoon.

It is of course working now and reasonably well. Kind of sucks that the install isn't a lot easier.

Fort Jennings State Bank Website Hacked, Hosting A Phishing Page For Italian Poste Italiane Bank

Wed, 01 Oct 2008 18:56:25 +0000

SophosLabs reports an unusual bank phishing spam campaign where particular image phish targets the Italian bank Poste Italiane. The phishing email itself (in Italian) entices users to go to the link in order to receive 250 Euros worth of “loyalty bonus”. This scheme is fairly typical and the link in the message goes to a [...]

Gov. Palin, Yahoo! Email and SecurityA Call To Action?

Mon, 29 Sep 2008 20:00:00 +0000

The McCain-Palin campaign has offered a rather muted response to the Yahoo! email account breach of Gov. Palin, and so far, the grand jury has opted not to indict the hacker. Is this the end to this sordid tale? Not quite. I believe that the average citizen has been left with a myriad of questions as to the security in as basic a utility as free email.

What’s going on?

“Rubico”, as the hacker called himself, used an automated password recovery tool where he was asked fairly simple questions to identify himself as Gov. Palin [birthday, zip code, etc.]. Rubico found answers to these within 45 minutes on Google and Wikipedia! Wow! Is it really that easy to hack into email or messaging services that the common person uses globally?...

In the News: Hacking Sarah's Email, TSA-Approved Laptop Bags

Wed, 24 Sep 2008 11:47:43 +0000

Hacking Palin's EmailIt's no secret in the IT community that hacking into someone's email account is a fairly trivial task, but now that VP-candidate Sarah Palin's account has been cra...

The Audacity of Capital Markets

Fri, 19 Sep 2008 07:18:37 +0000

It it fairly well established that overt risk tasking, greed and corporate arrogance by financial services companies have destroyed the real estate market and crippled the global economy. Countless millions of folks have lost their homes and life savings. This corporate arrogance and greed was like a “greed virus,” spreading across the world like a plague.

A similar arrogance is happening in CEP-land, where, it seems, each and every financial services event processing application is now a “CEP application” just because someone in capital markets puts “CEP” in the same paragraph. I find it ridiculous that the same market of folks who have helped destroy the global economy are now the world’s self-proclaimed authorities on complex event processing. Amazing, if you really think about it, isn’t it?

I read many posts these days by folks in the capital markets trading world, claiming their message routing application is “CEP,” or their algo trading application is “CEP,” - feeds and speed, typical of what “turns on” the financial services folks. As an editorial note: I recall when I worked for a software company, folks on the same team who worked on Wall Street would look down on folks with many years of IT experience outside of financial services. Some would say “he is only a security guy” in their attempt to put down anyone who does not have trading floor IT experience on their resume. I found it all quite ridiculous and foolish.

My resume, for what it is worth, has a number of financial services companies, including either assessing, architecting or building large scale security systems for S.W.I.F.T, Chase or SBC. This experience does not seem to “count” with the trading floor folks, since security is more about getting things right, not just supporting a form of gaming or gambling with other peoples money, with more feeds and speeds the better.

Of late, as I have watched the CEP/EP space evolve, and unfortunately, I see a similar type of “capital markets virus” spreading into CEP-land. Folks on the trading side of financial services seem to think that whatever they say or do is right, and whatever others outside of the trading side do is wrong. These folks are quick to ridicule others who have far more experience than they do, outside of the trading floor of capital markets.

After all, mostly what they do on the trading side is route orders - and if a little old lady in a small town in Iowa loses her life savings because of a bad investment decision, it means little to the folks on the trading floor, the market folks are into feeds and speed - just keep the beast alive. Place your bet on this market or that one! Away we go, faster and faster!!!!

I am sometimes a little sad to observe the same audacity in the CEP world. Instead of focusing on the hard complex problems that require accuracy, the original set of problems defined when the phrase “complex event processing” was minted, the capital market folks have hijacked the term for their marketing purposes in algo trading and order managment systems. These same people ridicule others who are working to solve the (originally stated) complex event processing problems, problems the capital market traders seemingly cannot understand, since they have never worked on complex network or security management problems.

Nevermind, that these “ultra low latency” systems cannot accurately detect a complex money laundering scheme or an elaborate fraud. Nevermind that these “CEP engines” cannot accuracy insure that Average Joe does not lose his hard earned money in a fraud scheme.

I have no problem with folks in capital markets using the term CEP, but they should not ridicule those in technical areas that are not focused on keeping the “trading beast” alive so people can lose their life savings in a blink of an eye; but instead focused on solving complex problems such as the class of problems called out when the three letter acronym “CEP” was created.

Post Your Questions for Philadelphia Wireless Panelists

Wed, 17 Sep 2008 06:10:36 +0000

Organizers of day-long discussion about ubiquitous mobile broadband want to know what you want to ask: In Philadelphia on 22-Sept-2008, panelists from AT&T, Comcast, Sprint XOHM, The Wharton School, and Network Acquisition Corporation (the folks who will be operating the former EarthLink network in Phila.) will be on one stage at 6 pm at The Franklin Institute's Planetarium (free, $5 contribution requested, advance registration recommended).

The panel will discuss fourth-generation (4G) networks, including both LTE and WiMax, and discuss what these networks might deliver, as well as how Wi-Fi networks fit into this future.

One of the organizers asked if I'd solicit questions--you can post them below--which they'll try to ask during the panel. The group would then write up responses which could posted in turn here.

The powerhouse that is Kevin Werbach, a professor at The Wharton School, is moderating the event. Werbach has been part of interesting thinking about spectrum for many years, a former editor of Release 1.0, and a former FCC staffer. He'll share the stage with a fairly high-powered crowd, including AT&T's enterprise architect for mobility, the president of NAC, and senior people from Comcast and Sprint Xohm.

The event is part of the Mid-Atlantic Chapter series called MobileMonday, an interesting business group that's trying to provoke discussion and development around mobile technology and access. This particular event is sponsored by local business development organization Select Greater Philadelphia.