Friday, March 26, 2010

Dr. Howard, Dr. Larry, Dr. Moe? We have a problem.


Background: This is a doctor's office.  This is the same doctor's office that mandates your SSN on at least 4 forms because they claim my insurance company needs it to verify that I am covered. (Reality: I called my insurance company, they do not need my SSN).  Additionally, almost all records in this office are electronic.  Doctors have tablets, computers have all my medical data, etc.  There is still a ton of paper in the office, with test results, signatures, diagnoses, etc ... which I assume (or rather, hope) eventually gets converted to digital format and the originals get shredded.

This door is in the back of the office where, if I wanted to, I could pretend to go to the bathroom and disappear into there for a good while before anyone noticed.  I stood there for at least 2 minutes without anyone walking by, or even hearing a voice nearby.  What do you want to bet this is where their wireless, wired networks converge?  What do you want to bet that there is a dust-covered server in here with backup tapes sitting on top of it?

Oh well...

Thursday, March 25, 2010

PacketForensics - Something Smells Funny...

No doubt by now you've seen the story on Wired's "Threat Level" segment on Packet Forensics titled "Law Enforcement Applicance Subverts SSL"?  I won't re-iterate what was written in the story, you can read it yourself but this is what captured my interest:

"At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania."
Of course, I wanted to know more.  I wanted to talk to those Packet Forensics folks myself!  Well, apparently that's a lot tougher than you'd think.

First off, I tried calling several times during business hours to their Tempe, AZ office and got a "Press 1 for sales, 2 for technical support" ...when I pressed 1 for "sales" I got a message system asking me to leave a message and someone would call me back.  Pressing 2 for "support" got me a live support person who was kind enough to tell me that if I wasn't a current customer I'd need to buzz off.  Hrmm...

Also, apparently their system doesn't think my email address (which is my real email address) is real ...


So ... Packet Forensics folks ... I swear my email address is real.  Will someone reply either privately or here on the blog?  I have many, many questions!

Here are some of those questions...
  1. Are Packet Forensics products using an exploit to perform their duties, or are the devices using legitimately purchased (but cloned) certificates of real sites?
  2. Are these devices being used on commercial carrier networks (ISPs) here in the US?
As you can guess there are many more questions, but I can't even see the products on their page without a login name and password ...geeze!

Tuesday, March 23, 2010

Revisiting the Firewall

I saw an interesting conversation start on Twitter today... it started by a simple question - "How relevant is the firewall in today's IT infrastructure?" ...the answer is ...well ... it depends!

Some of us still think about the firewall as that CheckPoint v3.0 on the Nokia IP440 running IPSO you installed way, way back in 1999.  You know who you are.

There are many arguments, facts, and fallacies on firewalls - and I think it's time we took another look.

Background
The firewall has evolved over time, from a piece of purpose-built hardware, to software-on-generic-hardware, to system-infused firewalls like you have on the modern Windows, Solaris, and Linux operating platforms.  We recognize the names: CheckPoint, Cisco, Astaro, NetScreen, and many others.  We've also used "firewall agents" like the old-school NetworkICE "BlackICE" product (before ISS bought and f'd that up) and many other similar copy-cat products.  Today, firewalls are a matter of IT life.  Odds are if you've installed an [inappropriately named] "Anti-Virus" package lately you have a personal firewall installed ...or you're using the one built into Windows, or Linux, or whatever.  If you're building a network segment you'll be separating it from the big, ugly Internet via a firewall, of that there is no doubt.  There is a problem, however, as questions arise of the real value of the firewall in today's IT climate.

Questions
Questions arise as today's firewalls go to get deployed.  Some of the main questions I've heard lately are...
  • Aren't these [firewalls] obsolete now that nearly every OS has its own firewall built in?
  • Why do we need firewalls with all these all-in-one devices (UTM devices)?
  • I need a WAF? But I already have a {insert vendor here} firewall!
  • So what about this "vanishing perimeter I keep hearing security people talking about?
  • ...and there are more
- the point is that there are many types of firewalls out there today, and many devices that mislabel misrepresent and confuse the buyer.  In the spirit of simplicity I think I'd like to take all these different "types" of firewalls and consolidate them into something more simple to understand.  Let's see if I can get any agreement here.

Firewall Types (as I see it)

  • Basic - You know these best as packet filters.  These firewalls are typically the older-school devices which look at things like state, sequence, port, protocol, directionality and either allow a packet or don't.  They don't much care for looking inside the packets ("deep packet inspection") and at payload re-assembly, rather, tend not to care much for the full conversation stream.  These are extremely mature products, and have started to go the way of the honest politician (extinct).  The good news is that if you need to segment one network from another in a very basic way - this is the most efficient way to do it.  Basic firewalls are blazingly fast due to their relative low complexity which means for extremely high-speed environments this may be the way to go.
  • Stack-Aware - The next option that seems to have evolved over the last several years (probably most pronounced from 2001 onward) is the stack-aware"firewall".  These are most commonly installed on the host itself and they're "shimmed" into the TCP stack.  These types of firewalls understand the content of packets (not merely their 'parameters/flags') and can even do some basic re-assembly of packet streams to figure out if you're getting a malicious payload.  This means that out-of-sequence packets, or "overlapping" packets can be re-assembled and analyzed by the device itself.  Of course, there are limitations in speed, buffer size (memory), and throughput but generally these things are pretty good at protecting at the operating system and stack levels.  I wouldn't go out on a limb and give them credit for anything above that in the network OSI model but they're pretty useful.  You'll find these embedded as value-add on your local CheckPoint box (I forget what the sandbox technology is called now...) and inside your local (again, mist-labeled) anti-virus client + firewall.  It's not super-sexy, or ultra-protective but the basic principles of firewall + stack awareness exist so this is a "level up" in protection.
  • Layer 7 Aware - This is the pinnacle of firewall evolution.  I would argue that firewalls that do this type of filtering shouldn't be your primary firewall or on heavily utilized links since there isn't enough hardware on the planet to understand several applications on a high saturation link.  Trust me, I've tried ...and failed big.  The major contender here is the "WAF - web application firewall", the biggest confusion to hit IT Security in many, many years.  First off the WAF isn't really a firewall - if you go by current definitions.  It is a layer-7 monster though ... so this is why I'm adding this new category on the evolutionary ladder.  Layer 7 awareness means that the firewall device looks at the packets differently than the other 2 categories.  The layer 7 aware device looks at packet content and understands the parameters of the conversation - and the endpoint for which the packet is bound.  If you're filtering a web application - the "firewall/WAF" understands the application-layer communications protocols (http, https) but also understands the layer above - the actual application.  It knows parameters, application logic (at some basic level) and bounds of inputs/outputs.  This should (but hasn't to my knowledge) be extended to things like DNS (which, let's face it, needs serious help) and other protocols too!
So, why have I decided to re-do the firewall evolutionary scale and add my own "Layer 7 Aware" category as the 3rd option?  Because I think it makes sense.  There are too many devices today that call themselves firewalls, too many software programs that claim "firewall" functionality but only perform basic capabilities.

So ... just how relevant is the firewall in today's IT infrastructure?  I think the answer is now, more than ever, extremely relevant.  Without firewalls, at any of those 3 levels of maturity I mentioned above, we have open-chaos ...like many of the academic networks I've seen.  Firewalls don't have a prayer of enforcing "security" completely like we all thought they did back in '99 - but without them we're very, very screwed.  For those of you reading this on your linux machine thinking how crazy I am ... I'm willing to bet you have some client-side firewall running.  I dare say most modern OSes have a built-in firewall ... is it effective?  Maybe.  Does it do a job and serve some purpose? ... absolutely.

Before you disparage the firewall as a concept, make sure you've come to grips with the firewall's evolution, its long history, and the purpose it serves.

Sunday, March 14, 2010

Security Threat Reset - Isn't It About Time?

Fair warning - if you're too politically correct to accept a good rant on the cold, hard truth - don't read this entry.  Move along, the government cheese and political correctness you so desire will return shortly.

So the threat level has been no lower than "Orange" at the airports since what ... fall of 2001?

At some point we have to grow out of the paranoia the TSA is hoping we continue to live in (more on that in a moment) and just come to grips with the fact that we're facing a daily threat.  That threat is either from radicalized Muslims, domestic terrorists, or others who for one reason or another want to see us dead.  Let's just come to grips and accept the fact that there is constant evil in the world.  Let's come to grips with the facts that US foreign policy, coupled with being labeled as "westerners" and having unacceptable social policies like giving our women equality with men - well those just aren't acceptable to some peoples living in the dark ages.

Now, having accepted that we can start to do some real security domestically, digitally.  Here are just a few things that I am compelled to share in light of some of the insanity that's been published lately.  ...also I fly way too much, and live in the digital security industry to just ignore this crap.
  1. First and foremost reset the "threat level" back to green ... why you ask?  Simple - having it up at Orange for so long has begun to do the opposite of what was intended.  People are starting to be de-sensitized to the Orange-ness... and if this happens then Orange is the new Green anyway.  How many people actually walk around the airport with a heightened sense of security ... certainly not those out-of-shape, mental midgets wearing TSA badges.
  2. 1 word - profiling... Please spare me the petty arguments on how that may hurt someone's feelings - fact is it's done every day. You do it, I do it, and the folks monitoring the world's networks "on-the-wire" do it.  There's an entire field of behavioral study in criminology that deals with how to effectively determine whether someone is prone to a certain behavioral pattern ... the political correctness police really need to take a back seat to our safety.
  3. Cyber Shockwave was one of the biggest detriments to any real security on top of the idiocy already in Washington.  As I've been shouting for forever now - the government's internal networks are getting raped repeatedly by foreign entities - now they're going to try and expand their "powers" to private industry?  Are you serious?  I'm going to go out on a limb here and say our private cellular infrastructure is better secured than the Pentagon.  Quote me.
  4. Security Theater (as we all know it) isn't fooling anyone. Those whole-body scanners, I shudder to say, are the first step to anything meaningful that we've done in airport security in decades.  I say real security because obviously the TSA agent with his/her blue light autographing my boarding pass wasn't able to stop some ass-hat "radical" from boarding a flight with a bomb in his jock... right?
  5. Do we really need another cyber-whatever-czar?  I mean, seriously Obama's got someone appointed for everything ...No one wanted Howard's job ... it's like working for a manager that needs you to fill a position so you can be the scape-goat when crap goes south, but you won't actually get the power to avoid the crap-hitting-fan situation.  Howard Schmidt can't succeed, partly because the government is incompetent, partly because his strategy is wrong - and partly because no one gives a sh** about some super-FUD government project aimed to scare people into readily giving away what tiny shreds of personal privacy (I know, I know it's a fallacy) we have left.
Isn't there anyone sane up there in Washington?

Now, where's my rifle...

    Friday, March 12, 2010

    I Failed a Turing Test - Now What?

     It's a common occurrence on modern web applications where anti-automation is required.  CAPTCHAs are everywhere, and now even more prevalent are reCAPTCHAs.  The problem is two fold here, and you've probably experienced this already.

    The first real issue is that CAPTCHAs were the most advanced way to deter automated scripts, bots, and programs from filling in forms - such as free web email registration forms - for quite some time.  The reality is that CAPTCHAs were easily broken by anti-automation automation software through the use of OCR (Optical Character Recognition) software.  In a strange irony the software that was built to "read" graphics and translate them into text (as in a scanned document) was being used to "read" CAPTCHAs and thus break the anti-automation.

    Next came the reCAPTCHA.  This is much more difficult to break for a number of reasons not relevant here, but the sad reality is that when high-tech solutions fail the bad guys turn to low-tech answers.  The answer in this case turned out to be low-cost worker pools in 3rd world countries.  The evil masterminds out there wrote programs that pulled the reCAPTCHA images into a console and someone would just sit all day and type in the letters they saw.  These worker-drones are often in 3rd world countries, and make on average $0.01 (that's a penny, USD) per image they successfully transcribe.  Now, that may sound insane to someone like you or I - but remember these are 3rd world, impoverished workers who have rapidly expanding access to technology.  Through the Internet's reach they are able to make as much as $3.00-$5.00 per day - that's a fairly good wage when you consider the average income for some of these parts of the world.  Add to that the ability to work from anywhere there is an Internet connection (which doesn't even have to be fast!) and this can turn into the perfect labor for entire families in some of these places.

    The economy of greed will always find a way to thrive - and this example is just one way of many ways that anti-automation is overcome by ingenuity and low-tech solutions.  This isn't the end of this story though because there is a a problem.

    What if, in order to compensate for the ever increasing leaps in OCR technology, CAPTCHA companies start to create CAPTCHA images that even a normal human can't decipher?  I ran into one such incident lately, and since it's been happening more and more I thought I should write about it to raise some awareness.

    The situation I can most clearly describe (and one that you may already be familiar with) happened on TicketMaster.com.  If you've been ripped off by TicketMaster lately... I mean, if you've bought tickets on TicketMaster lately - you've undoubtedly had to transcribe the CAPTCHA image to complete your ticket search and purchase.  How many times have you found yourself squinting and thinking real hard before typing in those letters you think you see?  I'm betting pretty often.  The problem comes when we have to make turing tests so hard that humans are failing them.  This undoubtedly brings on the obligatory rant about usable security - right?  Think about it.

    This is just one story, one example - I'm sure you have a few of your own like this

    If turing tests become so difficult that a normal person fails them - and thus is prevented from performing a legitimate transaction - yet criminals are finding ways around this ...who's winning?

    Update 1 [3/12/10 @ 10:14am] ______
      So ... this is disturbing but I got an email from someone that says I have my numbers wrong.  This someone would know... apparently the $/CAPTCHA is wrong - the real number right now is: $0.85 USD per 1,000 transcribed CAPTCHAs.  Wow, just wow.

    Friday, March 5, 2010

    "ControlScan" Security Seal Fraud Exposed

    The first domino has fallen... and it's about damn time.

    The Federal Trade Commission has settled with the cheats over at ControlScan over their "misleading practices" and lying to customers about their site security.  DarkReading has more on the story here.  Personally, I think the opening paragraph of the summary says it best:

    "ControlScan, a company that consumers have relied on to certify the privacy and security of online retailers and other Web sites, has agreed to settle Federal Trade Commission charges that it misled consumers about how often it monitored the sites and the steps it took to verify their privacy and security practices. The settlements will bar future misrepresentations. The founder and former Chief Executive Officer has entered into a separate settlement that requires him to give up $102,000 in ill-gotten gains."

    Of course, some of us have been blogging and screaming about this type of crap for months, some of us years.  These "security seals" have always been seen as a joke by anyone with an ounce of brainpower and understanding of how security works - but people like the ControlScan folks have been peddling this crap to customers who own websites and don't actually care about their customer's security - only their money.  Whether you're talking about the ControlScan Seal, the HackerSafe seal, or the HackerProof seal - and there are others - it's all crap.

    I fully realize that most of the security literate who read this blog know this already... and you're probably like me - when you see one of these seals you run and never go back to the site.  The problem is that the average web-surfing Joe doesn't know better and sees one of these idiotic seals and thinks they're safe.

    It's good to see the FTC has finally woken up and is doing something about these deceptive vendors selling a false sense of security.  I can't wait to see the rest of them get lined up and taken down.

    Thursday, March 4, 2010

    In Security vs. Security, Customer Loses

    I just went through a real-life event that really rubbed salt in my security wounds.  It's not bad enough that meaningful security is hard to accomplish - but when we solutions step on each other... it makes matters even worse.

    Let me explain...

    Background-
    I wanted to take my wife out some place fun for her birthday.  There was this comedy club in town her friends were always talking about, that we've never been - so I thought I would give it a shot.  Naturally I hit the website rather than going to the box office.  First off, the site design left something to be desired but I figured, hey - they had one of those "McAfee Secure" seals so everything must be good ... I mean, my buddy Trey Ford works there...  I checked out the site, bought some tickets online (using a one-time virtual credit card like this) and that's when things really started going south.

    The Problem-
    First off, the site has that look.  You know what I'm talking about.  Second, that "McAfee Secured" logo makes me wonder even more about how seriously they took security - or whether it's more likely they're just "checking the box"... But here lies the real problem... I paid with a virtual credit card.  Why is this a problem?  Because - I now have to show that card and an valid ID when I go pick up my tickets. ... So one security feature (virtual credit card numbers) is stepping on another (validating the credit card in person).  Now - this would be a seriously sticky situation - if people actually cared about security.  Why do I say that?  Well - when I called the box office to explain my situation I was told "Oh, don't worry, just give them you're name, no one really checks that (physical credit card)".  Well ... that sucks.

    So here's my problem - we have 2 pretty good security measures in place, unfortunately they're stepping all over each other, and we sprinkle in a bit of carelessness and we have all the makings of a disaster.

    Big Picture-
    The bigger picture still, here and elsewhere, is that this is common.  Employees don't understand the value of things like checking physical credit cards against an ID in-person, and all the best planned security measures in the world won't do any good if no one cares.  The site demonstrates clearly, at least to me, that they are simply checking the security check-box- otherwise someone at some point would have noticed ...gee, this may be a problem!

    Bummer.  Another place to avoid.
    Google+