Wednesday, November 14, 2007

the post i've been waiting to write

i hope it's not a letdown...

so i recently had a conversation w/ a buddy of mine... he is getting a new gig at a multi-national multi-billion company as a sort of security manager/architect/roadmapper/evangalist type of a thing... congratz to him again btw!

so, while we are talking, we get on the subject of where the heck should he put his efforts? i mean, in an org w/ thousands of hosts, if you are given the task to come in as part of a team w/ a mandate to re-do infosec, where the heck do you start?

my two cents was that you assume machines are going to get owned to shit, so you do two things... your segment your data as best you can, to mitigate the damage of inevitable leaks. 2nd, you assume that modern malware will infect you and that the modern "security software industry" won't be able to help you at all, and you do everything you can to separate data and functionality from your OS, so you can blow potentially kitted machines away on a whim...

anywho... we had this abstract conversation about the changing state of infosec... if you look at infosec perceptions vs infosec realities, you see that there is a schism between the two. the mainstream is still caught up in the hacker image of the disgruntled youth in his basement who has you in his sights and is clicking away on his keyboard, executing commands on hosts on your network.

this is what was happening on your network a few years back, but it isn't the primary threat you face today.

today you can get owned every which way from sunday, and the pwner will never notice that he could blackmail you about your 3 illegitimate children. he isn't going to read your email or im conversations. he probably isn't going to notice anything about you unless you trip some software if/then about your online banking acct, if that.

todays blackhat zombie-net operator doesn't care about you. he cares about the number of digits making up his zombie network. hell, you might get owned and not even have a purpose. maybe he'll use you for spam, or maybe for ddos, or maybe cull you for online banking stuff... even he doesn't know yet. he is building a network. he is building it bigger. he is widening the corridors, and adding more lanes...

i had problems explaining this to a previous employer... they were like "we don't handle cash, and we have a low profile. who would attack us?". my response that they had thousands of hosts around the world and many megs of inet bandwidth was met with blank stares. they couldn't wrap their heads around (and/or i failed to communicate) the fact that the currency being traded in blackhat circles had evolved yet again.

infosec is an arms race. as we find effective defense, the attackers find new attacks.

this really begins to suck in corp land. i'm sorry, but those tens of thousands of dollars you spent on firewalls won't protect you from modern vectors. and the tens of thousands of dollars you spent on AV won't protect you from modern malware. and your patch management infrastructure won't protect you from the latest vuln in the jar: protocol.

hell, most of you in corp land aren't doing anything proactive to defend against buffer and stack overflows, and those relatively modern and too-complex-for-joe-user defenses don't help against many modern attacks...

sucks, but it is farkin true. and the worst part is that you don't get much relief on the old stuff. similar to kaminsky saying (at bh/dc) that the best (/worst) part about design bugs is that they come back from the dead, so too do attack vectors. even though your firewall probably won't protect you from phishing, you can't throw it away when you buy a new tool that will.

the modern frontier is the application layer, which anyone reading this post probably has known for quite some time. this is virtually virgin defense territory, and we're seeing many diff types of attacks:

XSS
XSRF
media files that own you or annoy you
trusted web sites that own you
poor cookie/session handling that owns you

ok, so i'm running firefox (which i wish i could set to default for all of my corp users, but they run in-house ie-specific web-apps for business, soooo) with noscript, so i've gotta be safe. except that i always hit some popular site that requires scripting to function properly, and i decide to trust them so i don't need to click something everytime i hit the site. oh crap, they get owned, and now i'm unknowningly running an invisible iframe back to some chinese site. it isn't like i'm going to see a defacement or something. look at the recent site hacks, like the myspace alicia keys hack. they try to be subtle and blend in. did you get an official email from myspace warning you that you might have issues since your myspace page links to alicias? hell no... oh yea, and that one wasn't even a script, it was mostly social engineering...

i mean, how many hosts am i gonna get if i manage to insert a hostile script into (for example) break.com? out of the total staff of break.com, what percentage of employees do you think are worried about security as their primary job? what is the likelihood of an exploited vuln at their site over the next 12 months? say it exists in the wild for 8 hours... how many hosts will you get? 10,000? more? if break.com doesn't get owned in the next 12 months, how many other sites are out there that your users visit? do you allow outbound www? if so, you have a problem...

do you trust your online bank? i've done assessments on some banks, and i can tell you that my idea of security was incorrect. and your bank probably outsources everything having to do w/ money to some external entity that provides an app they use to run their business. that same app is used across many diff branches of banks. did i mention there is no ingress/egress network/transport layer filtering across those links? and if i can write a sploit that works on bank-x, it might work on bank-y or z...

and security is anything but constant. i know a site which looked pretty good. down the road, they overhaul their web server settings, and poof, raw ownage. clients who hit the site w/ scripting enabled were sent to china to run bad bad code. the javascript used cookies and http posts to send heartbeat info back to china to let the operator know the status of their ever growing network. does anyone beyond the few ppl who've seen this application level sploit know it exists? it isn't a major popular site, but the users who hit it number in the thousands. is there a methodology to inform those users that they are at risk? if there was, can we tell them how to scan their boxes to know they are clean? will up-to-date windows patches protect them? will ad-aware get it? spybot? will the owned site owners consider notification in any form??? did you know that xyz bank can get completely owned and probably never publicly say a word about it? not that your money will go away, but just that the integrity of their servers, which you visit and trust, was compromised and that you might be running malicious code...

the brave new world is that hostile domains pop up and drop off the map before commercial security white/black lists can find them. they run traffic over common ports (80), or within accepted protocols (http).

wow, what a rant... the other main worry is a targeted attacker. there are corps who offer services to spy on specific targets... hell, 5 years ago my infosec prof told me about companies he saw that existed to evesdrop on cell phones and data-mine trash. these people are out there, and you know what they say about the dedicated attacker, so here's hopin they aren't lookin at you... and hell, if they do, will you know if it is a misunderstanding or an attack?

anyway, i've wasted wayyyy too many electrons on your monitor saying this, but the point is just that if you're admining infosec anywhere today, your biggest threat is your employees running http to the web via port 80 and 443, and currently you probably don't have any reasonable way to protect your org from the myriad of threats you're faced with. i'm not chicken-little, but the state of things is less than optimal atm...

the attackers have shifted, and the defenders need to as well. we need out of the box OS and application design to limit the trouble users can get themselves into. as a wise man i know loves to say, we can't base our defense around hoping that people make good security decisions. we need to get to the point where we don't offer them the option to make bad choices.

2 comments:

Jens "jdm" Meyer said...

First, nice Comfort Eagle reference. Second, wow what a rant :)

I agree with a lot of what you said here -- the nature of attackers is changing and the security industry needs to keep up. I would argue that progress is being made, though, in terms of layer 7 vectors. Take a look at php ids. I think they're doing something great for webappsec -- something that's long overdue. No, it's not foolproof, but it is a start.

I don't think you failed to communicate your points about security changing at your last gig ;) I blame the disregard on ignorance of current threats -- no, it's not a hacker in his basement anymore (although some sec ppl wish it was). There are professional groups run by crime syndicates that are extremely organized and capable that operate with almost complete immunity.

While that may be true, security professionals must decide their own levels of paranoia. It is virtually impossible to close all attack vectors, so the only thing you can do is mitigate risk and lower your residual risk as much as possible. Do we allow web traffic? Yes. Ok, to mitigate that risk, all users must attend web vigilance training every six months.

The biggest problem is still the user, and I firmly believe that the more a company addresses this the better the security posture of the company. For example, my girlfriend recently went to a bank for some information. They printed it out and gave it to her and she left. Upon examining it at home, we realized they had accidentally given us the printout of someone's account details which included their SSN, the account numbers of all four accounts, their balances, her name, address, and phone number, etc.

Now I'm starting to rant, but the point is oversight happens and no matter how hard you try to foresee problems, there is always some mundane detail (like giving someone the wrong printout) that can still slip through the cracks. We should talk more about this.

rwnin said...

yea, that was quite a rant, eh... a little too negative now that i read it again, but hell, i was a little less than sober ;)

nice w/ php ids, but yea, it's just xss... i agree it is a start, but the problem is all of the vectors that are unprotected, and also that as this program matures, the attack surface will continue to change...

i've gotta disagree that it is virtually impossible to close all attack vectors... it _is_ impossible to close all vectors ;)

i agree w/ your point there, but the problem is that the threat window w/ web access is sooooo wide that things like web training don't seem like they are adequete (but def needed to elimiate some of the worst behaviors).

what we're seeing is functionality butting up against security, and functionality will _always_ win that battle w/ the users. if your user wants to hit fark or ytmnd or whatever, but can't if they don't disable a sec control, they will disable the sec control if they can...

i'm guessin that everyone who is protecting stuff that is _really_ valuable is just being extremely restrictive on web connectivity or denying it completely or air-gapping networks, etc etc etc. i can't see any acceptable middle ground... it's like we were talkin about w/ TOR... eventually you'll hit a hostile exit node... on the web, eventually you'll bump into a hostile site you happen to trust...

as for the shite w/ your gf and the bank, i totally feel you... i was in at the dr the other day, and he's using this wireless tablet (i didn't even ask if it was wep, i didn't want to know ;) to make notes about me and find info and such. medical records and all of that. we're talkin about it, and he says something about how they're running the whole deal over citrix (for security). i cringe thinking about all of your citrix posts, and we talk about it a bit, and he says "well, i guess that's what happens when you let a group of doctors decide what the right technology decision is"...

what can you do? it's the wild west out there... you can take steps to mitigate risk, but at the end of the day, some of your security is based around the fact that you are a fish in a school, and you're just hoping your number doesn't come up today...

anyway, i've got an idea for a firefox extension that might be able to help out a bit w/ a common attack vector... but it'll be just like php-ids, just covering one base... but, my goal is to actually code something for the greater good and release it damnit! we'll see if i succeed ;)