Tuesday, September 30, 2008

Getting Hacked: Arrogance or Ignorance?

Hi readers, I read a fair amount of blogs and occasionally find something I just feel compelled to pass along. This time though, I came across an article that was too interesting not to share, but unfortunately highlighted (and I think this was unintentionally) something that we [all of us] have badly overlooked.

First, the article. "News of Frauds" is a blog maintained by Piyush Sood. Yesterday he cross-posted an article from PCmag.com written originally by Corinne Iozzio on the most "mysterious" cyber-crimes of all time. While I may not agree with Corinne's assessment with the importance/mysteriousness of these crimes - I think she pointed out a little gem.

If you scroll down to the "Supermarket Security Breech" you'll notice an interesting quote.

"Chain reps and security experts are still unclear as to how the criminals gained access to the system; the 2005 T.J.Maxx breach took advantage of a vulnerability in the chain's wireless credit transfer system, but Hannaford and Sweetbay do not use wireless transfers of any sort."

This quote fascinated me instantly. Of course they may not have known about any wireless - that's kind of the point isn't it? How many companies are willing to say, on the record, "no we do not have wireless" only to get hacked through some open access point hidden under someone's desk or in a conference room to 'share network access'. It's a sad commentary, I think.

Saying "we have no wireless" and actually having a policy that prohibits people from hooking up access points randomly are two entirely different things. Oddly enough, most companies simply say "we don't allow wireless" and then wonder how it is they could have possibly gotten hacked when their network is so air-tight.

I can't stress this enough. If you don't want something on your network - make a policy against it and be ready to enforce that policy. Otherwise... expect to be hacked. Or at least be ready to have to explain why you're not ready.

Friday, September 26, 2008

La Guardia/NWA Airport Craziness

Update: From the pilot on my flight I got some light news... apparently that flight blew a tire and was stopped after it landed. *Whew!*

Hello folks this post is a little off-typic but as I sit here and stare out the Red Carpet Club window waiting for my 2hour late departing flight (gotta love La Guardia, eh?) I can see a NWA jet sitting out off of C concourse, with tons of emergency crews (3 fire trucks, police vehicles, and other various emergency vehicles as well as 3 busses) and lots of flashing lights but no movement from the plane. The plane is about 500' from the jetway, and there doesn't appear to be any immediate danger since other planes are buzzing about the area without issue.

Just thought I'd let everyone in on it, in case someone sees it on the news later. Weirdness.

Thursday, September 25, 2008

OWASP AppSec 2008 - New York

OWASP AppSec 2008 in New York City, day 2 is officially under way. Day 1 was tremendous simply because of all the great people I got to get back in contact with, and many I've never met in person before. There were also a bunch of wonderful presentations, for example the w3af talk by Andres Riancho was not only very informative - but made me realize that commercial black-box web app sec tool vendors have some things to learn from w3af and the supporting group. The Cross-Site Scripting Filter Evasion talk by Alexios Fakos was also very good - filled the room and got a thunderous applause when that was over... great job. I think Alexios made lots of the folks in that room realize that their black-lists are not only very inadequate but that you can do so much more than most people even think to evade filters. Ivan Ristic's talk on mode_security was pretty good too. I think that if the commercial WAF vendors didn't have someone in the room paying attention, it will be their loss. No matter how you feel about the topic of WAF, Ivan's talk set the record straight in a lot of ways and clearly outlined the benefits and downfalls of the WAF community while highlighting mod_security.

I think I have to echo the folks I was standing around with and their sentiment when it comes to the ISC^2 tactic for party-scheduling. First off, a room-full of security nerds and an open bar is never a good idea for that much time... but when you first don't feed us and give us endless glasses of liquor before your talk on... whatever it was you talked about - I don't think anyone remembers what that talk was about. All I can recall was that someone won a 42" TV, and that my drink (Goose & cranberry) ended up being a Fruit Punch and grapefruit. I guess that's what I get for ordering from a guy that well...

As a final note - thanks to Trey and Darren for hanging out and drinking beers and eating some late-night dinner food... great times guys.

Now I'm off to the next day of presentations and lunacy.

Sunday, September 21, 2008

TSA "Special Screening" Fun

Hi friends - Odds are, as you read this on Monday morning with your donut and latte, I'll be getting "Special Screening" from our friends at the TSA.

Why? I've got 3 one-way tickets booked, international, between Chicago, Ottawa (CA), Montreal (CA), and New York City. I didn't do it intentionally to get hassled, it just worked out that way, lovely for me. Conventional logic would tell you that of those 3 tickets, at least one of them will qualify for the "Special Screening" (with the SSSS on the bottom of the boarding pass). I'll report on what happens... stay tuned.

I can't wait to meet up with some folks at the AppSec event in NYC (OWASP '08)... it'll be a blast. For those of you coming to the 2 workshops in Ottawa and Montreal - see you there!

Wednesday, September 17, 2008

Consumerization - The End of Corporate Security (as we know it)

Source: Palo Alto Networks "The Application Usage and Risk Report" (Fall 2008 Edition)

Don't act so surprised. I wrote about this a long, long, long time ago...

Consumer-driven technologies are driving IT Security into oblivion, and security managers mad. Palo Alto networks confirms that we're losing the battle against the great unknown risk brought in by the users, or someone other than IT administrators and corporate IT types. This quote is priceless...

"The report supports the notion that employee application usage within the enterprise is akin to the wild west where anything and everything is fair game."
First though, I'd like to give some credit to Tim Wilson of DarkReading.com for publishing the Palo Alto findings, and doing some analysis - but I'm going to take a slightly different angle.

Remember when IT Security didn't exist? You went to work for a company and were issued a desktop, of for the lucky ones we got a laptop - and were sent on your merry way. You got the standard set of business tools (and some of us even got a "coreload" which was uniform among all the machines issued), and then were left to your own devices as administrator of your local machine. Cool! You installed instant messaging clients, P2P programs, and other neat stuff like those games that were so neat that you could play in your spare time [read: during meetings]. Then IT Security came into the picture somewhere along the way, and started to spoil the fun. Security started issuing mandates like "you can't install KaZaA on a company-issued machine"... what was that all about? Good thing they had no teeth and couldn't enforce it, right?

Fast-forward to today and many larger, better-managed enterprises (and some lucky smaller companies) have a lock-down policy on the gear they issue you. Problem is, they [still] can't cover every angle you can take to "install stuff". For example, most rediculously built applications still require you to be administrator to run them - so IT Security has to back off until this gets fixed, and in the mean time you play widget golf or what-not, connect your iPod [with the necessary iTunes + QuickTime .. and RealAudio... and Safari?] and your GPS so you can synch your maps, and a USB memory stick so you can "back up" all your music and listen to it off the player on your work machine... and it goes on and on.

Before we [IT Security] know it, there are iPhones, gadgets of all kinds connected to our network doing who-knows-what, and we have no clue how to control it. Now let me bring in this survey that I've mentioned in the very first line of this story. Yes folks, consumerization is real and it's taking over your systems, clogging your network pipes and causing security vulnerabilities that you can't even dream of yet. This report from Palo Alto only validates what I've been saying for years now. An old manager of mine over at GE Consumer Finance (you know who you are) used to talk about how consumerization will be the death of corporate IT security - could he have been any more right?

Look at the report, read it and let it soak in - we've lost control. Given this knowledge of the inevitable your next question is likely "OK smarta**, so now what? What are you proposing?" Here's what I'm proposing... rather than trying to spend so much time restricting what users can install, what they can do, and what they can hook up to their PCs - why not just set a baseline for allowed activity - and write a security policy that allows for random audits and HR actions as a result of failing an IT Security audit. Yes, this all sounds nice in theory - but there is more to it. You have to take a few steps first... let me outline it for you as I see it -

  1. Write a solid policy about usage of company assets. Be strict on what is allowed, what is not allowed, and what reprecussions are. You must spell things out clearly, and notify your users that they will be checked against this policy and HR will be called when they violate this policy. Be prepared to take this to HR for approval and then be ready to act on this policy
  2. Institute a basic baseline for work PCs and technology. Perform basic steps to lock down issued hardware to a reasonable degree, and the rest of your networks, assets and IP in a way that makes sense (notice I didn't say spend rediculous amounts on tools and monitoring equipment...). Make sure your policy makes sense for you and your user base. Allow folks to be able to do the things they want to do (and will do behind your back) securely! This means implement a proxy-only environment that detunnels all traffic, and does egress filtering for DLP compliance. It's not easy - but it's a great way to go and lets your users know you're not trying to enclose them in a cell all day - just that you're looking out for your company's interests
  3. Be prepared to audit the systems, networks and gadgets that are out there in your corporate micro-chosm. Given that you should now have a policy against certain types of actions, make sure you can reliably detect those actions and issues so as to report on them. Accurately and reliably are the keys here - you can't mess this up.
There... that coupled together will make for a sound policy that I think both you [assuming your the CISO/IT Sec Leader] and your company can live with - and you won't need to take out a government loan to get it done.

Some additional reading:

Friday, September 12, 2008

SPAM Protected Under 1st Ammendment in Virginia?

You read right.

My colleague Scott sent me an email today with this story from the Atlanta Journal-Constitution, which basically strikes down the law which put one of the most infamous spammers in history in the slammer for 9 years. Unbelievably, he was allowed to argue that his "email campaigns" were covered under the "freedom of speech" provisions in the US Constitution... even though his email spews were 100% commercial - how does that work?

Of course... the question is, will this reversing of the Virginia law cause a cascading failure of legal precedent up into the US Federal CAN-SPAM Act? We'll have to wait and find out I guess - but I have some additional thoughts on this topic - namely - does this have anything to do with security, or is it simply a nuisance to administrators, mailbox owners, and network managers have to learn to live with?

Interesting that arguing "freedom of speech" could reverse a law that makes it illegal to send unsolicited, commercial email to random people.

My favorite quote of the article is this one... from the ruling itself.
The Virginia law “is unconstitutionally overbroad on its face because it prohibits the anonymous transmission of all unsolicited bulk e-mails, including those containing political, religious or other speech protected by the First Amendment to the U.S. Constitution,” Justice G. Steven Agee wrote.

...so because the law prohibits the transmittal of *any* type of unsolicited email (including religious and political emails) it means that the law in whole is unconstitutional.

--Thanks Scotty... interesting development indeed.

Wednesday, September 10, 2008

Ultimate Attack Vectors - Web Browsers

Talking about web application security lately is making me nuts. It's been about what, 12 years since we security folks started preaching about "firewalls", right? That took at least 5 years before anyone started taking firewalls with any serious thought - and now it's just a matter of need when building a network. People started putting in firewalls because servers got hacked, and bad things happened.

This got me thinking. Servers got hacked the "old fashioned way" which meant that a bad guy scanned one of the millions of IPs on the Internet, over the range of 65, 535 ports available looking for one to exploit, and then tried one of dozens of exploits available for any given listening service (such as an XP-on-Win32 exploit for DCOM). The odds of this were good - but the execution wasn't simple, and the attacker had to go find targets.

In comes the browser. Forget port-scanning, customizing exploits to processors + operating systems, listening services. Just craft an exploit that any standards-based browser can exploit, such as Cross-Site Scripting (XSS), reflect it to the victim (who is willingly coming to the attacker), and voila. Hacked.

The browser is such a double-edged sword... Users love it because it drives all the cool "web stuff" they can do like Facebook, MySpace, YouTube, and so on... and it's a hacker's dream. No longer does the attacker have to go out seeking servers with Internet-open ports to scan and victimize... the attacker simply follows the Kevin Costner (Field of Dreams) model... if you build it, they will come... and you can exploit them. This of course blows the firewalled machine model right out the window. It doesn't matter that they're firewalled, the avenue for exploit so much greater than a firewalled server.

... and people tell me that they just don't see the value in spending copious amounts of money and resources on securing web apps. Makes me crazy.