Tuesday, June 30, 2009

[RANT] Call Me a Realist

Call me a cynic, a "doom and gloom" believer, a nay-sayer or what ever else you want - but understand that fundamentally I'm just a realist with a lot of experience in failure.

Hopefully you've had a chance to listen to the OWASP Podcast #27 featuring yours truly and heard my take on App Sec... If you haven't heard the OWASP Podcast yet, Jim Manico does an awesome job identifying, tracking down and interviewing people who have an influential role in web application security - and I for one feel honored that I was picked to be a part of that group. After listening to myself on the podcast I started to see what some of you guys had been telling me about myself - I make one hell of a cynic, don't I?

I sat and thought about it some, as the rains poured down over Progressive Field in Cleveland, OH (and the White Sox pounded the Tribe). Am I really a cynic or do I just know better than to expect something that will likely never come? I think the reality here is that I've worked in companies large and small, with funding and with a shoestring budget, well staffed and with a skeleton crew - and the result has been consistent failure.

Are we just physically incapable of writing good, secure web application code? Yes.

Well, no, take that back. In an imaginary world where we have unlimited time, unlimited tools at our disposal, everyone is well-educated (in security) and has an incomprehensible amount of intelligence for development... yea we'd still fail. You see good security is (like the devil) in the details. Put down the sharp implement and let me explain.

Even in a perfect world there are still things that the individual developer cannot control. In modern applications development it is almost non-existant that a single person writes an entire application without the use of either some code-generating tools, 3rd party objects/modules/includes, or additional support such as a horde of developers. This creates a condition known as "I-have-no-idea-what-they-did-but-it's-not-my-problem-itis" for which there is no known cure. Say, in this perfect land you have a group of developers that understands their tasks well, can secure their code and is smart enough to get support when they need it - but what about all the code they are re-using or integrating with? It's still unpredictable at best and who knows what sorts of security muster it's passed (or not). Someone once told me that we'd have no more code insecurity if we could just get rid of the programmers and replace them with re-usable code. I then reminded that person that someone had to write that re-usable code engine... which leads to the possibility for flaws.

Emerging from our perfect world where security still fails on occasion and returning to the real world we realize that we're under-staffed, over-worked, under-educated and under-budgeted. We've lost the race before the gun goes off. Chasing the big white whale becomes the dream of a madman. In a typical company where risks are a-plenty, and IT is up to its eyeballs in delivery issues it's a little difficult to suddenly step in and talk about security vulnerabilities like they're somehow more important than the 10,000 things that are already on fire. When the whole forest is on fire... which tree do you save first?

Enterprises and SMBs alike are looking to save money, cut corners (whether they want to admit it or not) and unfortunately security sometimes falls off the docket. Whether it's the security team's fault for not properly articulating the issue or the CIO's for simply not understanding the risks... the result is often the same. Somewhere in your business are thousands of lines of insecure, exploitable, and very lucrative code. Worse yet - that stuff has been there for years and now when you review a small snip that's changing and find that the whole thing has to be re-done... no one wants to pony up the money to do the work - right?

If you're not having too hard of a time explaining what it is you really mean by "we're going to be hacked" then you're figuring out how to get budget, or you're attempting to fit the notions of security into the greater SDLC... there's always a problem.

Think of it this way - as technologies become more complex security and development know less and less about each other's art - thus leading to a state where very bad things can happen in a heartbeat. This isn't magically going to get better when you wake up tomorrow. You're also not going to stop outsourcing, off-shoring, and doing development with teams that don't speak your language or understand your culture. Your ancient applications aren't magically going to be sunset in favor of their newer, more secure, versions. Things just aren't getting any better, this has been a trend since the mid-90's.

So... am I a cynic? Yea, I'm a cynic.
Why am I a cynic? I think it's because I know better, and I'm just a realist.

I do hope every day that there is a game-changer just around the corner. A new web development language that inherently disallows the developer to write insecure code, would be a great place to start! Until then ... Skeletor lives.

Monday, June 29, 2009

OWASP Podcast #27 - "Security Skeletor"

A while back Jim Manico (@manicode) of the OWASP Podcast series emailed me and aske me if I'd be willing to do an interview for OWASP.

You readers know I tend to be a bit opinionated, so doing this podcast interview and not offending everyone was front-of-mind. I hope I accomplished my goal... and only a few of you end up thinking I'm nuts after listening.

I hope you enjoy the podcast, I tried to be open, honest, and even informative.

Maybe Jim Manico himself will be kind enough to explain the Skeletor reference...

Listen to the OWASP Podcast series regularly... and go follow @OWASP_podcast on Twitter!

Thursday, June 25, 2009

What ever happened to...

  1. AirCell and American Airlines' "wi-fi in the sky" campaign? So much was made about a year ago and discussions circulated around the security circles... and now no one's said a peep about it months. AirCell's Blog has been quiet since 2007 (shocking!) According to their press release section on their site, they've completed an FAA certification "3 months ahead of schedule" so that must mean it's safe, secure and hacker-proof right?
    "BROOMFIELD, Colo., June 18 /PRNewswire/ -- Aircell, the world's leading provider of airborne communications, announces that it has received full FAA certification (STC and PMA) for its new High Speed Internet system in the business aviation market and that shipments have commenced three months ahead of schedule. The system's first installation has been completed by Midcoast Aviation aboard a Bombardier Challenger 605 operated by a Midwest-based flight department." (linked here)
  2. After beating up on McAfee's "Hacker Safe" (now McAfee Secure) program for a while, the security community seems to have left the folks over at Comodo (see their "Hacker Proof" program) to their own devices... continuing to provide their customers (and the customers of those web sites) the finest false sense of security $2,295.00/yr can buy. What ever happened to crusading against such blatant marketing (notice I didn't say security) stupidity?
  3. Then there was the sage of HoudiniSoft (remember?). They got involved in a massive law suit because they were offering to unlock people's carrier-tethered cell phones (thus breaking those illegal monopolies... wait, did I say illegal?). Where did that go? Their website now touts them as a legal way to re-provision cell phones.. COOL! So I can take my T-Mobile locked phone and "re-provision" it to say...AT&T? (GSM capabilities are currently under development, according to their FAQ, bummer). That sounds pretty cool... I'm sure there are still some legal issues there - but I'm glad to see these guys are still around.
So... there you have it - 3 relevant stories that seemed to have fallen off the grid, silently.

Tuesday, June 23, 2009

Microsoft Security Essentials: Road Test

What better way to test the effectiveness of a malware scanner than to go download random binaries from the dirtiest part of the Internet... the P2P networks. Even worse, to really test Microsoft's Security Essentials I decided I would download, install and run LimeWire... and download binaries (.exe files) that I would normally avoid like the plague.

It's simple to find malware on the 'net these days... pop open LimeWire and search for something like "Photoshop crack" or "{random app here} keygen"... you'll find all the malware testing you could ever want.

As a control to Microsoft's Security Essentials I used VirusTotal.com. If you've never used VirusTotal it's a service that uses the major scanners out there (~40'ish or so) to scan your uploaded file and give you a verdict... pretty neat utility. Since not every Anti-Malware (A/M) program catches all threats it's best to run the binaries I've harvested through this handy-dandy little tool to ensure that I have a good idea of what the competitive products are finding on the binaries I'm working with.

I will admit the results are a little... shocking, even for Microsoft's standards.

Let the games begin!

Testing Method: Download random [suspect] binaries from LimeWire
Keyword Search: "keygen" "crack"
File Types: Windows .exe files
Control: VirusTotal.com
  1. Name: "Office Mac Keygen" | Verdict: Obvious | VirusTotal Link: Here ( 89.47%) | MS SecEssentials: Fail

  2. Name: "All Sony Products KeyGen 1.2" | Verdict: Obvious | VirusTotal Link: Here ( 92.69% ) | MS SecEssentials: Detected - TrojanDownloader:Win32/Tonick.gen (removed)

  3. Name: "ALL_Xilisoft_Products_Keygen_v_1" | Verdict: Obvious | VirusTotal Link: Here ( 90.25% ) | MS SecEssentials: Detected - TrojanDownloader: Win32/Tonick.gen (removed)

  4. Name: "berry white incl keygen by REVENGE" | Verdict: Obvious | VirusTotal Link: Here ( 87.81% ) | MS SecEssentials: Detected - 2 Threats (in 2 files) TrojanDownloader: Win32/Tracur.A & Tracur.B (removed)

  5. *Name: "conficker_including_keymaker_by_T" | Verdict: Average | VirusTotal Link: Here ( 66.67% ) | MS SecEssentials: Detected - TrojanDownloader: Win32/Tracur.A

  6. Name: "solo_le_pido_dios__including_crack" | Verdict: Obvious | VirusTotal Link: Here ( 92.31% ) | MS SecEssentials: Detected - TrojanDownloader: Win32/Tracur.A

  7. Name: "umidimmi_var_KeyGen.All_Versions.zip" | Verdict: Average | VirusTotal Link: Here ( 74.36% ) | MS SecEssentials: Fail

  8. Name: "SRS_Audio_SandBox_1.9.0.4_with_Keygen.zip" | Verdict: Obvious | VirusTotal Link: Here ( 90.25% ) | MS SecEssentials: Detected - TrojanDownloader: Win32/Tonick.gen

  9. Name: "y_hubo_alguin_crack-serial-keygen.zip" | Verdict: Average | VirusTotal Link: Here ( 70.74% ) | MS SecEssentials: Fail

  10. Name: "registry_clearner_from_TSRh_team (cracked).zip" | Verdict: Average | VirusTotal Link: Here ( 60.53% ) | MS SecEssentials: Fail
Looking at the results, one could conclude that Microsoft's SecurityEssentials did not fare well compared to other anti-malware scanning engines. That being said the Security Essentials detection engine broke down on 1 obvious piece of malware (90% detection rate) and then choked on another 3 pieces of malware that had 60%, 70%, and 74% detection rates respectively. Ordinarily that's pretty bad but when you consider that Microsoft Security Essentials is free... one has to wonder.

Overall some things that I noticed is that the engine's real time protection is a little lacking, as it rarely (only once) caught the piece of malware as it was being unzipped, and typically only when I attempted to actually run the file. This obviously isn't optimal, but not an entirely show-stopping failure given that most of the active pieces of malware require you to activate them somehow... such as double-clicking to execute the file.

Bottom Line: The verdict, unfortuntaely folks... is that Microsoft's Security Essentials is essentially lacking on the detection front. In a world where Internet-borne threats are polymorphic, stealth, and ever-changing the Security Essentials tool fails to deliver real protection against the nasty things that go bump on the 'net. Even when compared against other freeware detection engines (such as AVG) Microsoft's engine still competes poorly, since every single piece of malware that Security Essentials missed, AVG's scanner caught.

Sorry to say - but I recommend spending the cash for a decent anti-malware scanner boys and girls, "Code-name Morro" (Microsoft Security Essentials) isn't up to the task of protecting your computer.

I would like to stress that this is a test of static file analysis, and not of "invading malware" from a drive-by download or something... I downloaded files and then had MSE (Microsoft Security Essentials) check to see if it could detect malware hidden inside the ZIP files they came in. Your results may vary!

Interestingly enough - Steve Ragan over at The Tech Herald had exactly the opposite results. Odd... not sure what to make of this yet... but rest assured more analysis is happening as you read this. Check out Steve's absolutely comprehensive analysis (complete with video!) here... http://www.thetechherald.com/article.php/200926/3926/Review-Microsoft-Security-Essentials

Microsoft Security Essentials: First Impressions

Hey folks, in case you were living in a cave, Microsoft's Security Essentials (formerly code-named "Morro") is now live and available for download.

As it went live at 11:00am Central Time I couldn't help but snag it the minute it went live... and wanted to throw out my first impressions and continue to update this post as I put the free anti-malware client through its paces in my lab.

Lab Configuration:
  • Host: Linux Ubuntu 9.04 running Sun VirtualBox
  • Host OS: Windows 7 RC build
  • Memory: 2Gb
  • Disk: 20Gb
  • This is the only anti-malware client on this [virtual] machine
After jumping through the hoops to download the BETA, and actually reading the EULA and software agreement (which is pretty standard, by the way... no giving up your first-born), I got the client installed and working just fine. I grabbed the available version (6/21/09, Ver. 1.0.1407.00) and installed it immediately.

First thing I noticed is how utterly tiny this client is, at just over 4.7Mb, that's astounding! Maybe this isn't everything that my monstrous Kaspersky install is on my laptop... but this is pretty impressive if it can deliver. On disk, after installation the Microsoft Security Essentials directory is just 8.67Mb, with 38 files in 6 folders... again, not too bad. As far as system resources are concerned, the msseces.exe process runs in the context of the currently logged-in user (as is expected with Windows 7 controls) using ~0% CPU and just 3.468Kb of memory. With such a small footprint one has to immediately wonder... is this thing even effective? I'm going to find out.

One thing that those of you who are used to complex anti-malware packages will notice is the distinct lack of advanced features... this is, after all, a very simple anti-malware client. Simple being the operative word here... so you can't expect much for free... or can you? There is the option of Real-Time protection which enables itself after the first auto-update and there is an auto-update features, since the goal is to reach those who would never remember to do it manually. Overall first-impressions are... "yea, it's simple".

Looking at the settings one thing did strike me though... the participation in Microsoft SpyNet (which is apparently a carry-over from the Windows Defender tool) has a Basic or Advanced membership. I can't quite tell exactly what the advanced membership buys you (the user) or why it shouldn't be the default... as it appears that it would help the SpyNet folks pin-point the malware more closely. One thing I did notice is that there is this interesting clause, which I can't imagine worrying anyone...
"In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you, or to contact you."
That unintentional gives away something that I think needs to be further investigated. What types of information is being sent over? How can analyzing malware unintentionally lead to disclosure (or harvesting, accidental or not) of your personal information? I'd venture a guess that as malware collects information on YOU, it may inadvertently pass that information on when it's captured, but I can't say for sure.

Here's how I'm laying out my tests for the coming week or so...
  • Using Security Essentials I'm going to find and download some "questionable content" from the dirty underbelly of the Internet...
  • I plan on comparing SecEssentials performance in detection and raw stopping power against that of my Kaspersky installation protecting another VM...
  • I'm also planning on comparing "Morro" or Security Essentials against some of the other things out there including PrevX (if they ever get back to me)...
Look for more coming soon... so far, so good. Do you have the BETA installed? Have you given it a test-run and found anything interesting? Be the first to comment here... let's hear your reactions if you're willing to share!

Friday, June 19, 2009

ATMs Hacked by Brilliant Trojan Malware

As if we needed another reason to dislike the Microsoft Windows OS... then this happens. Windows-based ATMs in Russia and the Ukraine are apparently being trojaned, quite cleverly may I add, to become silent theives!
"What he has discovered is a devious piece of criminal coding that has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine's banknote storage cassette into the street." (Paul Marks, NewScientist, June 17, 2009)
That's just incredible. What makes this even more crazy-sounding is that it's not like you can walk up to an ATM and insert a USB key, or point to some shady URL... this has to be an inside job. Criminals are getting to the people who engineer and/or services Automated Teller Machines [ATMs] and having them insert these little "digital skimmer" trojans.
"Equally ingenious is how the crooks harvest their stolen data - by using the ATM's receipt printer. Inserting a trigger card into the machine's slot causes the malware to launch a small window on the screen, with a variety of options. The first is to print out a list of all recently used cards. The data on the printout is encrypted, so crime bosses could enlist low-level accomplices to visit ATMs to retrieve the printouts, safe in the knowledge that they cannot use the data to clone cards themselves." (Paul Marks, NewScientist, June 17, 2009)
Crooks have really thought of everything. I know I've agrued for a long while that targeted malware is reaching a point in the evolutionary cycle where "anti-malware" programs as we know them may as well not even be installed. It's crazy to think that these pieces of software are so optimized, so well-hidden, and so well constructed that they can not only hide inside a system undetected - but they can also modify themselves (as this article suggest) in order to further evade detection! What's next... I'm almost afraid to ask!

Here's the real meat of the problem... this isn't a traditional hack job, in the pure sense - it's social engineering (maybe some extortion too) throwin into the mix. This reeks of the crime syndicate methods of old...and new. Getting software onto a computer remotely is one thing; but being brazen enough to get it onto a machine by manually putting it there... that's an entirely new level of commitment. Of course, the amount of money these criminals are able to skim probably justifies this. Think of the organizational heirarchy that has to be in place (or has long been in place, as I suggested previously) to execute these types of attacks.

"The hardest bit for the criminals is installing the malware in the first place, as it requires physical access to the machine. That most likely means an inside job within a bank, or using bribes or threats to encourage shop staff to provide access to a standalone ATM in a shop or mall.

News of the card-data harvester has shocked banks and security analysts. "My reaction to this was: how the hell did they get that software in there?" says Lachlan Gunn, head of EAST. "It must involve insiders." Colin Whittaker, head of security at the UK's Association for Payment Clearing Services (APACs), agrees: "The levels they have gone to to corrupt ATM engineers and install this software is just incredible." "

So now you have an inside job, run by someone with access to incredibly sophisticated programming talents, deep pockets and henchmen who are willing to do the dirty work. Well, if this doesn't immediately scream organized crime to you - you've got to open your ears. We've had more than ample evidence over the last several years that organized crime is more and more interested in computer crime - and this takes it to levels previously unseen. I think, quite honestly, security is now at least 2-3 steps back behind the "bad guys"... sounds like there is quite a problem brewing.

** Huge thanks to Gunter Ollmann for pointing me to this, the original TrustWave report, on Twitter. Gotta love that social medium! Notice the "file creation/install date: July 2007"... wow.

More as this develops...

Thursday, June 18, 2009

Watcher - Web Vulnerabilities Served Up Passively

I'm lazy, and getting lazier these days.

Therefore, it should be no shock that I love tools that don't require me to do much of anything to get great results. How about a Fiddler plug-in that simply watches me browse the site I want to target and stacks up potential vulnerabilities (or areas that require further exploration) in that site or application? Sound good to you?

A tool called Watcher fits right into that category when it comes to web application vulnerability detection. I stumbled upon this tool a while ago while looking through the web for browser-based web site security vulnerability detection (hacking) tools. Chris Weber of Casaba Security came up with the idea while researching browser-based, lightweight tools to complement his penetration testing strategy and other tools in his arsenal. Since he'd already been using Fidder (a plug-in testing assistance tool for Internet Explorer) he figured why not just write a plug-in to Fiddler and do passive site vulnerability analysis. Watcher is the result of that endeavor.

So here's why I think you should make Watcher part of your toolbox if you're doing web application/site secrity analysis or penetration testing....
  • Watcher enables vulnerability hotspot detection which gives you a better idea of where to target your efforts; essentially focusing on where JavaScript and user-controlled HTML are rampant
  • Watcher integrates nicely in Fiddler2 and provides additional functionality in a very low footprint
  • It's useful... and the new version 1.2 (coming very, very soon) has added checks for many things that should interest you as a tester including cookies, headers, user-controlled content space, SSL and other things
  • Has explicit checks for "dubious information disclosure"... which I think a lot of the commercial scanners don't do a good job of defining
  • It's simple and nearly effortless... now that's a feature everyone will love
  • You get results... and with very little effort you can help spot trouble spots in site that require your further testing skillZ
Will Watcher replace your current commercial or open-source web application vulnerability scanner? No, most definitely not. Is it the only tool you need... definitely not. Does it have a super-comprehensive library or checks... and does it never generate false-positives? Nope. So why try it? Simple ... because you have a finite amount of time to test a monstrosity of a site, and you have no idea where some of the lower-hanging fruit might lie... Watcher can help you figure that out while simply browsing the site.

As someone who lives in the web site vulnerability world... I now include this in my toolbox for when I'm looking at a large app with no idea where to start. I simply keep this tool running and just browse... Watcher does the rest.

Kudos to Chris over at Casaba, keep the releases and signature updates coming!

Wednesday, June 17, 2009

[Product Review] Tufin's SecureTrack 4.5 - Simplifying Chaos

Do you work for a large company or an extremely large enterprise?
- If you answered yes then I know what your biggest problem is... without even talking to you - you have too many network devices to manage. Period, end of story.

It's crazy but the firewalls we've come to rely on to keep the bad guys out (and I say that mostly in gest... ahem, RSnake) have become our undoing. While firewalls are clearly not going to stop layer 7 hacks, or even some of the more advanced hackers they do accomplish the base purpose of reducing, at least to some visible degree, our company's exposed attack surface. Not counting web sites, our firewalls can keep a good amount of nastiness on the outside, but not if they aren't managed properly.

I recently worked for a company that had 250+ firewalls in a single business unit, mostly CheckPoint and Cisco Pix... managed either out of one of a handful of Provider-1 consoles, or remotely via telnet (then SSH, as available). That was one of those nightmares I never thought I'd wake up from... so you can probably see why I'm so interested, at least personally, in tools that aim to simplify the life of the firewall admins out there. If you're in this group and you manage more firewalls than you can honestly say you can handle sanely... read on, this one's especially for you.

Recently I wrote about a company that had some software which managed disparate firewalls all over the damn place, and alerted you when things went wrong... or when changes showed up that could cause you issues. I've since found another one that gets the job done... and how. The folks over at Tufin were kind enough to give me a full demo and a demo image to play with and I have to say I've been genuinely impressed.

It's crazy that products like this have to exist - but once you've got one of these puppies in your company's infrastructure you'll wonder how life ever went on without 'em. Think about being able to virtually test a firewall rule across every firewall you have. Will adding a web server object at on firweall 99 conflict with a rule somewhere else on your network? It shouldn't ... but then again who the hell knows! With all the outsourcing, off-shoring, layoffs and restructuring going on these days can you afford to "be pretty sure" that you have a good, solid, and non-overlapping ruleset? Are your firewall rules as good as Swiss cheese, or are you actually able to hold some water?

Tufin's approach is interesting because it just seems to work... natively. With a central manager to pull data from all your firewalls and the ability to really "see" what's going on - I think this is one of those products you shouldn't go too long without... like socks or deodorant.

After playing with it, seeing the demo, and thinking some here are some of the things that caught my attention... and more importantly - why they caught my attention:
  1. Comprehensive enterprise view: What I mean is that now you have the ability to see every firewall object, policy, and rule in your entire enterprise across your CheckPoints, Ciscos, Netscreen/Junipers and whatever the heck else you have without having to open a dozen different consoles, GUIs, or neanderthally SSH shells to check it out... where was this when I was jockeying firewalls back in '98/'99... hrmm....
  2. Configuration change-management: Again, how did people live before this stuff was sold? If you're in the type of environment where 10 different teams make 100+ firewall changes a week (or worse...) then you're desperate for a way to see who made a change, when, and what it was... and if it's something that matches a specific no-no you'd want to be paged so you can administer your own brand of justice in the parking lot. It's more than just accountability - it's like having a link between every firewall rule-set in the company... and being able to see what's changed in a near-real-time way!
  3. Policy optimization: How many rules do you have... total? Hundreds? Thousands? What if you could (close your eyes and picture this) have a tool that ran across all your firewalls and figured out for you which ones don't ever get used anymore so you could throw 'em out? If someone asks you today if rule #124 on firewall 9A is pushing traffic - what do you say? Well, instead of burning through days and weeks of log files looking for that rule why not let Tufin do the work for you? It'll tear through your rule-sets for you and tell you which ones generate tons of traffic... and which ones are never used. Genius!
  4. Impact (Risk) analysis and management: Before you put in a rule that may potentially cause a catastrophic failure (elsewhere in the network) wouldn't it be great if you could do a simulated push to see what other rules the one you're putting in would affect? This is particularly important if you're babysitting outsourced firewall engineers at 3am while they go through and implement rules you had queued up for your change window. Will that rule cause havok? Forget about worrying... just let the Tufin box tell you what the impact will be - and whether you need to stay up or go get some much-needed z's
  5. Audit and compliance: Sadly, today's world really focuses on compliance and audit. You need to show pretty reports that you're auditing your rule-sets and you comply with what-ever the policy du jour is... but you still need some hours left in the day to get actual work which will provide actual security to the company done. Again, these guys have a great audit engine that can do the work for you - so you can go back to black-box scanning your web apps and smashing your head on the desk becuse the developers didn't listen to you.
The Verdict
  • Vendor over-hype factor: 3/5
  • Pretty good, vendor hits all the big buzz-phrases... but don't they all?
  • Usability: 4/5
  • Not simple, and some GUI and workflow quirks but you'll get over it once you start using the product and realize how necessary it is
  • Utility: 4/5
  • Great tool, they're working on support for a wide-range of devices and are willing to add what you use if there is sufficient push
  • Product Sexiness: 3/5
  • Hey, it's firewall managment software...
  • Worth Your Time: 4/5
  • Simply put, yes. If you manage a large contingent of firewalls - you should own this (or find one of its competitors)

Bottom line:
This is a really cool product set with perhaps one of the most visible ROI models I've ever seen. Your ROI will be calculated in how much sanity, sleep, and confidence in your infrastructure you gain. Your upper-management will love that you've decreased fires, emergencies, and unscheduled downtime too... but then again that's all in a day's work.

You can find the Tufin folks here: http://www.tufin.com/, and check out the datasheet on SecureTrack here.

Tuesday, June 16, 2009

Cligs URL Shortening - I Told You So

Remember a few months ago when I wrote about the "big picture" behind why tinyURL.com's service is such a huge target for security vulnerabilities? [URL Shortening Services - the Bigger Picture] I almost hate to say this but... I told you so.

Well folks on June 15th Cligs has been hacked. The Short URL provider "cli.gs" has been exploited and hacked and the malicious user pointed every single one of the 2.2Million URLs in the database to freedomblogging .com (broken on purpose, I don't want to drive those twits any more traffic). The method of the hack is irrelevant, although speculation is that it was done via an unspecified hole in the edit functionality on the website, which is currently disabled.

From the cli.gs blog:

Late last night/early this morning, a security hole in the cligs editing functionality was discovered and was exploited by a malicious attacker. The attack edited most URLs on Cligs to point to a single URL hosted on freedomblogging.com. The attacker’s IP address appears to have from Canda.

I’ve identified the hole and disabled all cligs editing for now and I’m restoring the URLs back to their original destination states. However, the most recent backup is from early May, and so we may have lost all URLs created since then. My daily backups with my host were turned off for some reason, which is another story.

Think about it. 2.2 million URLs were affected.

On the Cligs blog, there is a post from May 8th about how Cligs is the 4th most popular URL Shortening Service on Twitter - I wonder if the hacker read that and found it a great place to start hacking away?

No matter what the implications, and let me say that after a quick glance FreedomBlogging does not appear to be a malicious site, simply a link landing page, this should seriously serve as a wake-up call for those of you who click on URL shorteners out there on twitter... and those who run these services. Secure your sites, watch what you're clicking... it's only a matter of time.

Cligs staff were unreachable for immediate comment either via Twitter or via the blog Contact Us page... as soon as someone replies I will post it here - stay tuned!

HelpNetSecurity is also running a story about this...

Sunday, June 14, 2009

Preying on Fears...

I checked my SPAM box just for fun on one of my email accounts I only use for "giving out to places that may SPAM me"... and found something amusing. Someone is preying upon the craziness of the Internet to spread some malware... which isn't all that interesting except for I wonder how many people actually fall for this.

Yelling "FIRE!" in a movie theater will get people to get up and run, even if they don't see or smell a fire - it's no different on the 'net. Just a friendly reminder not to trust emails and to keep spreading the word to people who would otherwise not know better.

SPAM From: "Microsoft"
SPAM Subject: "Use this patch immediately!"
SPAM Content:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
SPAM Attachment: patch.exe
SPAM Header:
From Microsoft Fri Jun 12 10:52:22 2009
Return-Path: <admin@duma.gov.ru>
Authentication-Results: mta142.sbc.mail.mud.yahoo.com from=microsoft.com; domainkeys=neutral (no sig); from=microsoft.com; dkim=neutral (no sig)
Received: from (EHLO sccwmxc03.att.net) (
by mta142.sbc.mail.mud.yahoo.com with SMTP; Fri, 12 Jun 2009 10:52:22 -0700
Date: Fri, 12 Jun 2009 17:52:22 +0000 (GMT)
Received: from localhost (slip-12-64-120-75.mis.prserv.net[](untrusted sender))
by att.net (sccwmxc03) with SMTP
id <20090612175216s0300gm37ae>; Fri, 12 Jun 2009 17:52:16 +0000
From: "Microsoft"
To: <********@att.net>
Subject: Use this patch immediately !
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="xxxx"
Content-Length: 12963
I do notice that Yahoo! does immediately dump this into the SPAM directory (hopefully because the domainkeys doesn't authenticate) but there should be a bigger warning! If the DomainKeys auth doesn't match there should be a big, blaring, impossible-to-miss flashing red sign on the header that says "THIS IS FORGED"... but that's just my suggestion.

Friday, June 12, 2009

Friday Thoughts - Microsoft Morro

There has been a ton of buzz lately about Microsoft's announcement to (a) finally formally kill OneCare (which was a disaster) and (b) release a free anti-malware platform for the common user. Plenty of articles on it here, a good one here, and here so I won't repeat what others are saying and continue to whip a dead ghost-horse... but here are some of my thoughts on this topic.

  • What's Microsoft's ultimate goal? Microsoft always has an ulterior motive, let's face it. I know enough 'softies to know there really is no free lunch at Microsoft. Free always comes with a price tag that's to be paid in CPU cycles, proprietary software lock-in, or other means. So what's Microsoft up to? I think it's simple... they are trying to thwart Google's advance on the operating system market by slowly building out an entire ecosystem from base OS through malware protection and up the stack all the way through their Office productivity suite. Their ultimate goal then? Simple. Keep people using Microsoft's ecosystem of products to remove any possible foothold Google may have... but that's just my opinion.
  • Will it really be free? I'm thinking yes. As Microsoft continues to buy up companies and offer services for free (sound like an anti-Google campaign yet?) they inevitably will start to hit people where the hurt most. There was a great quote somewhere in the mountains of posts that I read on the topic that basically said Microsoft is going after not the enterprise space but after those people who buy a PC and can't afford to shell out the cash for AntiVirus/AntiMalware on a regular basis. These are the folks who will benefit from this zero-cost tool which will effectively keep their lovely Windows platform safe and secure from those pesky bad guys trying to steal their passwords on FaceBook... or not. The free model doesn't seem to make sense... until you realize that it's a small price Microsoft pays for Windows owner loyalty - maybe those idiotic Mac ads where Mac claims that only PCs get viruses and bugs is starting to hurt?
  • Will it be any good? I think it just might be. One of Microsoft's press releases hints focusing on a smaller footprint is important as people get more frustrated with anti-malware engines that suck up valuable CPU and memory resources... even Norton (I think?) has done this lately - weird huh? Focusing on giving people a usable, non-invasive service for free is quite frankly... novel. From Microsoft's release:
    Code-named “Morro,” this streamlined solution will be available in the second half of 2009 and will provide comprehensive protection from malware including viruses, spyware, rootkits and trojans. This new solution, to be offered at no charge to consumers, will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs. As part of Microsoft’s move to focus on this simplified offering, the company also announced today that it will discontinue retail sales of its Windows Live OneCare subscription service effective June 30, 2009.
I don't know about you readers... but I can't wait to get this into my sandbox! Currently I run Ubuntu 9.04 and VirtualBox with Windows 7 RC... and I can't wait to add Morro to this. I know people are ready to lay out the FUD and start to pick this offering apart... but I'm welcoming it. If Morro is on target like Windows 7 is... I may actually go back to dual-booting... *GASP!*

Love to hear your thoughts to my 3 questions above...

Wednesday, June 10, 2009

[RANT] When All Else Fails... Sue 'Em

Look, I'm all for changing attitudes and forcing companies to take your privacy and security of your personal and private information secure, but where do we draw the line? In case you haven't heard yet [which means you've likely been living in a cave... or under a rock], Aetna is being sued by Cornelius Allison ...

"The complaint alleges that "Aetna unlawfully failed to maintain reasonable systems and procedures to protect (Allison's) and (other employees) information."

The suit also alleges that the company failed to follow its own privacy policy charging them with negligence, breach of implied contract, negligent misrepresentation, and invasion of privacy."

That blows my mind for a number of reasons. Like I said, I'm typically the first one in line calling for the lynching of careless companies but this doesn't smell right.

First off "unlawfully failed to maintain reasonable systems and procedures"... what is that referring to? What law is this guy citing? If there was a law [not compliance regulation] that had this defined I think a lot of companies would be in serious trouble... but I can't find anything to reference - am I missing something?

I think that in order to prove negligence, breach of implied contract and other nasties you'd have to be able to prove intent... right? This isn't realistic in a case like this unless this guy has an insider that's willing to say "Yes, they were negligent and ignored best-practice and left vulnerabilities in the system". I'm no lawyer -but this strikes me as a fishing expedition against a company who got hacked [as pretty much everyone has by now] and then was responsible and tried to proactively warn people. What's the problem?

I looked up Aetna's Web Privacy Policy and the only thing I can think of that even makes sense is if Aetna was somehow moving this private data between sites within their system carelessly? I don't know... but they do have an extensive disclaimer of liability... which I guess makes sense for a large company to protect itself.

I can understand a user's frustration with their personal and private (SSN is pretty private, although it shouldn't be... don't even get me started on that) information being stolen but suing Aetna may not accomplish much of this person's actual goal. Will a law suit make better security happen? Maybe. Will it make companies think twice about disclosing potential breaches for fear of getting sued? Yes... probably. Is that a good thing? No.

For every action, there is an equal and opposite reaction... right? Well... I may be the perpetual cynic but I just don't see the light at the end of this tunnel, here's why:

  1. From everything I can tell, this wasn't some egregious hack where millions of private records were stolen from a poorly secured site (in fact, we have no idea how the info was stolen)
  2. From their public releases (and 3rd party investigations) it has not been determined that anything other than email addresses were pilfered! (which isn't exactly private info)
  3. Additionally, the notification was pro-active, meaning, Aetna was trying to be protective of their users... and I think they did the right thing
  4. Ultimately - this will lead to more companies being sheepish to talk about breaches (or potential breaches) for fear of suit-happy users...

I can't figure out which is worse here... some guy with his hand out obviously fishing for some free money... OR... a company that really needs to learn the value of their customer's data the hard way.

I welcome your thoughts!

Monday, June 8, 2009

Hello T-Mobile, You've Been Pwn3d

EDIT 06/09/09 @ 2:28pm CST:

Well, who would have thunk it. Apparently T-Mobile is admitting that the information posted by the hacker is real but there was no compromise of customer or internal information from those servers. ORLY? I'm not inclined to believe that... given that someone has hacked that deeply into the network... and T-Mobile is saying no data was compromised?

The only thing I can think of that would allow for such a situation as they're in now is if someone lost a spreadsheet with that information... which could also have been lifted off a laptop, whatever. Then you have a lot of internal knowledge without the actual penetration and theft. Maybe... just maybe this could be the case?

At any rate, I can't wait for more information to hit the wires... doesn't seem like we'll be getting much from T-Mobile in the way of being forthcoming.

EDIT 06/08/09 @ 12:08pm CST
It almost doesn't matter, in the court of public opinion at least, whether this hack is real or imaginary... because if you look at twitter and Google T-Mobile right now... you'll see hundreds of blogs, news articles, twitter posts and all sorts of comments out there already feeding the fire. Should this turn out to simply be a hoax (which is may very well be)... T-Mobile has already been judged and the damage is done in the public eye... at least when it comes to those people who read/comment on the web regularly.

This just goes to show the kind of damage a well-placed "we hacked you" public disclosure (even by an un-named party, with virtually no evidence to back it up) can inflict on a public company. T-Mobile needs to do damage control, quickly... and quit with the "no comment" responses. Their current responses to media are just throwing fuel on the fire already raging out of control... and that's bad for business.

The mailing lists have been aflutter today with an interesting revelation. Starting with the release to the Full Disclosure mailing list, someone has made it painfully obvious that they have completely pwn3d T-Mobile.

This isn't the run-of-the-mill "hi, we hacked your web site and defaced it" announcement... this one is a little deeper, and much worse. No, this email announcement boldly announced that T-Mobile has been completely, totally, and wholly pwn3d by someone who chose to be anonymous... although has a great mastery of the English language.

Here's the text of the email...
Hello world, The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is available in 98 of the 100 largest markets and 268 million potential customers. Like Checkpoint Tmobile has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009. We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder. Please only serious offers, don't waste our time. Contact: pwnmobile@safe-mail.net
These guys are serious too. Pasted along with this taunting email is a list of servers and systems supposedly compromised... including the name, ApplicationID, OS, IP and other interesting tidbits. Either these hackers seriously own T-Mobile and their data... or they're playing it really convincingly.

What I find interesting, is the statement that the hackers have already contacted T-Mobile's competition, but that the competition wasn't interested in internal documents and secret data. That means one of two things... either there is actually some integrity out there... or as the hacker says, he was probably just emailing the wrong people.

I wonder what kind of figures these hackers had in mind?

Ref--> http://seclists.org/fulldisclosure/2009/Jun/0062.html

Friday, June 5, 2009

Aetna - Hard Lessons from a Web Site Compromise

Sadly, it's not too newsworthy [anymore] when yet another company's web site gets hacked and the results are felt almost immediately by its users. What worries me is when an article like this hits the wire: Aetna says web site hacked. Read the article, then keep reading here.

After reading that article I was a little disturbed by the statements made, so I contacted Cynthia Michener at Aetna directly, and asked for her comments. Interestingly enough... things aren't always what the mainstream media [re]prints them out to be.

What's worse: getting hacked or not knowing how you got hacked? I'm going to make a leap here and say that the only thing that's worse than getting hacked, and having to tell the world about it is then saying you have no idea how the "bad guys" got in. Read the article carefully?

"We know for certain that the e-mails were accessed, we don't know whether or not anything else was accessed," she said. "But we're erring on the side of caution, we want people to know."

A contractor has done a "thorough forensic review" but was unable to find out how the hackers penetrated the site, Michener said.

What a statement.

Reading that rattled me so much I went back to Cynthia and got some clarification, and to find out if there was any truth to that. First off, as she aptly stated, let's be clear - there was no banking, financial, or health data here... just job applicant information which happened to include emails, and SSNs (Social Security Numbers). Oh good... no, wait, well that sucks. By Aetna's numbers 65,000 people were in this system when it was compromised, and information that was contained in this jobs site included name, address, SSN, and some other job-related information. Fair enough... but let's focus on the fact that neither Aetna [nor the outside contractors they hired] could pin-poing the source of the hack or how the attackers got the data in the first place.

At the outside, this is a clear demonstration that whom ever the hacker was (or whom ever they were), they were obviously pretty good. Or... Aetna's security and their contractor is pretty bad... or the systems they're using are inadequate. No matter what this doesn't spin well for Aetna. We've all discussed that it's not if but rather when a company gets hacked. Taken a step further it would follow that it is critical to have layered defenses and layered logging to tip off the system when an attack is successful... this is what appears to be missing here.

On the other side of the coin, you have to worry about the deeper question here. Aetna is making a statement that they were hacked, they investigated, and according to the article I quoted above... they gave up. This isn't entirely true, as Cynthia pointed out to me...
"In addition to the below information on the investigation and those affected (which I encourage you to read/use as this info will make more sense), here's some more information. To investigate, we hired an industry-leading, third-party party computer forensic and security vulnerability analysis vendor to work collaboratively with the web site vendor to investigate this information. After a thorough forensic review of all available records of data access, the third-party expert has nevertheless not yet been able to pinpoint the precise source of the breach. We do know that the phishing e-mails employees and others received requested that the user respond to an e-mail address traced to a server in Russia. The e-mails themselves originated from numerous dummy e-mail accounts set up with an Internet web-mail service provider. Again, we don't know whether any other information was accessed or how these e-mail addresses were acquired by the third party. However, to err on the side of caution, Aetna decided to notify and offer credit monitoring to anyone who had a social security number in the database. Our investigation is continuing."
As the investigation continues I do hope that Aetna discovers the source of the stealthy hack. Furthermore, I hope they learn from this and implement better security counter-measures... not necessarily to do a better job of keeping the bad guys out - but to be able to figure out what they did and how they got in when the inevitable happens. Overall I think Aetna handled this quit well, erring on the side of caution is always a good thing.

Some info from Aetna's PR channel...
  • Incident initially discovered week of May 4th, 2009
  • Emails stolen were used to launch a spam campaign aimed at soliciting further personal information from Aetna job applicants
  • Aetna immediately (not sure how quick this was...) took the job site down, notified people, and posted notices on their Aetna.com website
  • Approx. ~65,000 people who were offered jobs with Aetna had their information potentially compromised
  • Information included: Name, address, DOB, SSN, phone number, and other job-related information
  • Majority of the people compromised are current/former Aetna employees
In the final analysis... I think the media handled this poorly by mis-quoting and mis-understanding the incident. I think Aetna did a decent job with identification, notification and triage of the incident. My concern continues to be that they still do not know how the incident was perpotrated... that should keep their CISO up at night.

Thursday, June 4, 2009

Malware Rising

  Yes, hacking by malware is the new hip trend.  All the cool kids are getting hacked that way.

Not to be left behind Aviva, USA says that at the core of their recent data breach was malware.

According to this article on BusinessInsurance.com, Aviva lost approximately 550 Social Security Numbers (SSNs) which isn't necessarily earth-shattering, but it is noteworthy that this continues the trend of Heartland Payment Systems, Hannaford Grocery Stores and many, many others who are blaming malware installed on their systems for their data breach problems.  Check this quick Google out.

Isn't that like blaming the hand-grenade that was tossed into an open window for the damage?  Wouldn't you blame the person who left the window open, then move on to the open window... and then move to the incendiary device?  They have to realize that the malware which they're blaming their troubles on was inserted into their systems by some human being which circumvented their security measures?  Right?

Wednesday, June 3, 2009

Dangerous Times for PCI Regulations, Auditors

An interesting predicament which could completely undermine the whole of the PCI-DSS initiative has landed in the lap of Savvis... in the aftermath of the CardSystems Solutions massive hack.  A law suit has been filed by Merrick Bank is targeting not the company that got hacked - but rather their auditor who certified them PCI compliant!  Savvis is being targeted because they allegedly missed something that led to the massive breach which CardSystems experienced.

  Wanting to get to the bottom of the story, and maybe get some rationale on why they're suing the auditor, not the company which got hacked I tried to go to the stables and get it right from the horse's mouth.  This proved to be much more difficult than one would think.  First, Merrick Bank doesn't seem to like people calling to talk about non-account matters, and has no specific phone number for non-account issues.  After bouncing around the switchboard I spoke with someone who identified herself as Myleen (sp?) and would only say that "Card Works official statement on this is No Comment" and hung up.  I'm fascinated by this reply, although I'm not entirely surprised.  Merrick Bank appears to be a little short of friendly if you don't have an account with them.  Their security page on their site is also... amusing.

  So this begs the question - why sue the auditor?  It's clear that Merrick Bank will have to prove that the auditor (Savvis) was both negligent and that the issue in question (the condition that led to the breach) was present at the time of the audit.  That's going to be challenging at best, although this quote from a Wired article may prove otherwise...
After the hack, it was discovered that CardSystems, which has since filed for bankruptcy, had been improperly storing unencrypted card data for more than five years, something Savvis should have known and reported to Visa. The processor’s firewall was also non-compliant with Visa’s standards. “Consequently, Savvis’ . . . indicating that CardSystems was in full compliance with CISP was false and misleading,” the complaint says.  (Wired News)
  So with that in mind, the suit moves forward, and PCI continues to be thrashed about in these troubled waters we live in.  Let's take a step back though and analyze what this type of law suit could do to the already-fragile PCI-QSA ecosystem.

  As it stands the Credit Card Industry is largely self-regulated... and VISA and Mastercard have worked pretty hard to get some standards for digital card security in place.  They've even built an ecosystem around this self-regulation in the forms of standards bodies, auditors, and vendors ready to take a company which meets the minimum requirements from zero to compliant.  Now it would seem as though the foundation for that ecosystem, the QSAs, are being tageted by this Merrick Bank suit.  This could spell disaster for the whole ecosystem if Merrick Bank wins this suit, let's make no mistake.

  QSAs are faced with a serious issue here.  On the one hand they should absolutely be held responsible for the audits they conduct... only someone criminally insane would argue otherwise.  On the other side of that coin it can be argued that to hold a QSA accountable for a compliance failure (at some point other than the day of audit) which leads to a compromise or breach is just as insane.  This of course breaks the argument back down into its most basic form question which has been debated over and over in academic circles, public forums and on stages all over... what is the role of the PCI-DSS in overall security of credit card data?  If we accept that the PCI-DSS is a best-practice regulation and does not in fact guarantee security; and agree that compliance at its best is a point-in-time event... what does that relegate the PCI QSAs to?

  It seems like there is a serious crisis brewing.  If this suit proceeds, and Merrick Bank should somehow triumph and prove Savvis negligible - the costs of a QSA PCI-DSS audit will undoubtedly skyrocket.  Those costs will then be, without a doubt in my mind, translated into fewer audits being done ... and in the end this will lead to (at least a partial) failure of the PCI-DSS.

  I'm torn.  While I want to see QSA accountability... I also want to see the PCI-DSS evolve and not be undermined by its own sword.  As I've said before this is a dangerous time to be in the PCI game... 

NOTE: If you're looking for a brilliant lawyer's-eye view of this case you can read the analysis by David Navetta, here... on his blog "InfoSec Compliance".

Monday, June 1, 2009

Security - At Your Doctor's Office

Having some recent experiences with medical offices I've stumbled across something everyone goes through, but probably never thinks of.  Doctor's offices require your social security number (SSN) ... and often times much more information without actually needing that information.

To demonstrate this, I went through the typical doctor's office paperwork craziness, and conveniently left off my SSN.  I finished my information including name, address, consent signature and all that, just left off my social security number.

Guess what... no one noticed!  The doctor's office was able to process my medical insurance, bill them, and finish their end of paperwork without actually needing the SSN they required on the forms.  I can't say I was shocked... as I often see information being asked for that no one can explain except to say "Well, we need it for our records".

What I recommend to you, my readers, is the next time you're at your doctor's office filling out one of those forms... skip the SSN.  See if anyone notices.  If they ask you why you skipped it- question them and ask them specifically what the SSN is required for.  Don't take lame "we need it for billing" as an answer.