Friday, February 29, 2008

happy über-kludge day!!!

Feb 29th is possibly the longest lasting kludge in human history.... if you've got a better one, i'd love to know about it ;)

Adding an extra day to the calendar every four years compensates for the fact that a solar year is almost 6 hours longer than 365 days ... However, some exceptions to this rule are required since the duration of a solar year is slightly less than 365.25 days. Years which are evenly divisible by 100 are not leap years, unless they are also evenly divisible by 400, in which case they are leap years For example, 1600 and 2000 were leap years, but 1700, 1800 and 1900 were not. Going forward, 2100, 2200, 2300, 2500, 2600, 2700, 2900, and 3000 will not be leap years, but 2400 and 2800 will be. By this rule, the average number of days per year will be 365 + 1/4 − 1/100 + 1/400 = 365.2425, which is 365 days, 5 hours, 49 minutes, and 12 seconds ... The marginal difference of 0.000125 days means that in around 8,000 years, the calendar will be about one day behind where it is now. But in 8,000 years, the length of the vernal equinox year will have changed by an amount which cannot be accurately predicted

info ganked from wikipedia :D

all your search results are belong to who?

ok... i think this is really important....

the ninjas over at google have been monitoring drive by malware in their search results, and they've come to find that more than 1% of their search results last month contained suspected malware... and they point out that the trend is increasing:

as expected, pr0n sites are more likely than other pages to contain malware. i obviously haven't read enough, but i wonder if google is delivering these pages or blocking them. even if they aren't delivering them, what about yahoo and others? i'd really like to know the percentage of malware sites which (would) appear on the first page...

one of the most important aspects of this shouldn't be overlooked. in many cases here we're talking about legitimate sights serving malware... we're talking about malicious adds being served, and other general badness.

this is why i run noscript and flashblock all the time. there are only a couple of domains i permanently allow. i don't allow youtube (or the new bs) by default, just as an example. sometimes it is a PITA, but this type of info reminds me that it is the smart thing to do. anyway, i'm getting ready to install safecache and safehistory too...


define value...?

a couple different sites picked this up... grossman has a blurb, but i think tao really hits it on the head.

i kinda want to share this w/ a previous employer, b/c it is what they need to hear. they'd always say "we don't have cash, so there isn't a security risk"... i tried to tell them, "you have over 1000 hosts w/ nearly 100 megs of bandwidth... that is valuable to some people even if it isn't valuable to you. there are a lot of other things they have which could be valuable. as the saying goes, one mans trash is another mans treasure.

so basically, this guy does some hacking, and finds out some private negative financial news about a corp. i kinda assume he wasn't searching for info like that, but who knows. he then goes out and sells the stock short, and picks up 250 grand after the company makes the info public and the stocks tank. they've identified the hacker, who makes approx 40k per year. not a bad haul.

the funniest part is that apparently due to securities law retardedness, insider trading is only when you legally know things and use it to trade. if you steal secrets and trade on them, insider trading doesn't apply. i wonder if they'll get the guy on hacking charges or not...

an ironic hack...

Sunday, February 24, 2008

infosec dogma

so i was gonna just post some pictures and do a little ranting, but my good buddy is on the same page as me w/o either of us knowing it. he wrote up this blurb here, and i think it fits where my head is at right now...

so first the pics and rants, and then i'll see if i can thread this into a cohesive post... ;)

alright, so i found this sticker in a hotel in FL. i might be missing something here, but if i understand correctly, this is some type of "security control". it says, "this sticker must be on all vending machines, and if it isn't then call this number to get a reward!"... ok, so run that past me again. the florida legislature expects consumers to be vigilant enough to notice the absence of a sticker, and then also expects that the consumer has pre-recorded a hotline number so they can call when they see that the sticker isn't there? seems like it puts a large burden on a "user" to enforce compliance... i'm really not sure what this is supposed to solve anyway. perhaps these machines have a tax levied against them or something? i donno, if i was a crook, i think i'd just make a fake sticker, since there are no anti-counterfeiting devices to make it tough to duplicate...

i found this one out at a client site... i guess this is some type of passive-aggressive outreach program? i can't think of a better way to entice a potentially reluctant user to come forward with information than to imply that he/she is a pest, and that _really_ they shouldn't think they might be wasting your time or anything.

anyway, those both cracked me up...

so here's how i see this tying in w/ the jdm rant. in the oft-repeated words of my mentor, "security is a process, not a product." this means that we have to look at things (someone smack me for using this word) holistically. yea, it's great that you have a strong password policy and that you update your machines on patch tuesday, but you're shooting yourself in the foot by having all of your shares running everyone/full-control and leaving that script you used to set your new local admin passwords out where anyone can stumble over it.

i don't really agree that user education is the first place we should look to make things better. security is a frame of mind, and some people just don't think that way. kinda like how some people are great at algebra but suck at geometry and trig, or vice versa. it is a monumental task to try to get tens or hundreds of people to change their innate way of thinking. again, to paraphrase my mentor, why should i give them the choice to do the right or wrong thing? i'd much rather take away their ability to make mistakes. if, for technical or political reasons, you can't stop them from making mistakes, then try to make the mistakes as hard and/or painful to make as possible.

it isn't our job to bring people around to our way of thinking, so they can navigate treacherous waters safely without us. our job is to create systems and processes that keep our users from knowing that they are in danger. our job is to teach them not to put their hand on the red-hot burner on the stove, but we can't expect them to have full comprehension of a subject matter which we devote our careers to.

every day when you drive your car you engage in one of the most potentially lethal activities you'll ever undertake (unless you're a cop or a soldier, etc). and yet millions of people do it w/ complete ease every day. they do it without a care in the world. they do it while talking to friends and loved ones. they do it while putting on make-up, and eating, and sometimes reading a book. (note that these people help make it more dangerous for the rest of us ;) they engage in this activity because we have a series of processes that give them comfort. they have a seatbelt snugly around their bodies. they believe that if there were a crash, airbags will deploy and keep them from harm. there are general rules for use of the road, and these rules are loosely enforced by trustworthy individuals who keep the most dangerous among us from causing too much damage.

here we have an extremely high-risk activity which is well managed. we have a general barrier for entry (age, license testing, and insurance requirements), and we have pain for non-compliance (tickets, revocation of privileges, raising insurance rates, and jail time). there will be crashes, and there will be fatalities. but for the most part, these loose controls keep the herd in line, and manage the risk well enough that business can continue.

a 2U box in a rack can't devise a system like that for your org. instead of dropping thousands or hundreds of thousands on security hardware, hire someone who knows what they're doing and what to look for to come in and look over your environment, and then _implement their findings_. if you can swing it, hire them on full time. a real infosec ninja can do more benefit for your org w/o spending a dime than any appliance will ever be able to provide. that's the good news.

the bad news is that it isn't nifty hollywood hacker shit. there are no uber-replicating bunny viruses we can fight on the monitor in real time, and unfortunately we never get to see angelina jolie removing hawt leather clothing in the course of doing our jobs. no, when it gets right down to it, and when you cut out the mystique, our jobs as infosec professionals can be kinda tedious. we're managing risk. we're weighing possibilities and guessing at attack vectors. what is the biggest bang for the buck i can get improving your security? what is the most likely compromise? how much will it hurt you if incident X occurs, and how can i reduce the likelihood that it happens?

in this business, we can only make you as strong as your weakest link. if you're only going through the motions w/ infosec, if you're just looking to check that checkbox and get back to "real" work, then we can't help you.

Saturday, February 23, 2008

full disk decryption hack

i think this is a super-cool (haha) hack.... i hope these ppl are gonna bring this to present at bh/dc, or notacon...

a very impressive way to get around something that i think most people took for granted as highly secure...

Wednesday, February 13, 2008

security theater

wow... bruce is prolly gonna light this up in the next cryptogram...

so there's a huge backlog of visas for people to get into the country. to relieve the backlog, apparently they are going to skip detailed background checks and approve visas which have been waiting for over 6 months...

you know, terrorists try to get visas too...

what kind of sense does this make? wtf?

well, here is one opinion:
Make no mistake, this bureaucratic cave-in is nothing short of a sugar-coated admission of the agency [DHS] being incapable of doing its mission.

Tuesday, February 12, 2008

trust but verify

ok, so i was having this conversation w/ a buddy a few days back. we were talkin about baseball, and all the cheating and such. and then of course the superbowl came up, w/ the recent allegations that the pats cheated in previous superbowls.

the conversation covered a lot of ground, but some parts stuck out in my mind. for one, the whole history of drug testing and baseball. over and over throughout the saga, you have people with vested interests making decisions that they are in no way impartial about. the players unions can't tell us if it is ok to test for steroids, because they represent the people who would be using steroids for personal gain.

it's just like the NFL, where you have a team that was caught cheating already. then allegations come up that they cheated in the same basic way in a different circumstance, and the NFL commisioner and peeps are like "oh, we don't think it's credible"... i'm sorry, what? it isn't credible because they've already done something exactly like that? or it isn't credible because you don't want any bad press or feelings right before the biggest game of the year?

so we got to talkin about how to fix cheating in baseball. we ended up agreeing that the way to do it was to have a completely independent body who tested pro atheletes (in multiple sports) for drug use. indepent funding, management, etc. this would keep the organization from having conflicts of interest, and should insure the impartiality of the testing to both the players as well as the team management.

i think this situation ties in very nicely w/ an infosec situation i was just in...

so, one reason to get an external company to do a review or assessment of your security posture is to verify that your people are doing what they tell you they are doing. you trust them, but it doesn't hurt to have another set of educated eyes looking over the situation.

so what if your org uses outside contracters to do work? well, in my estimation, you do the exact same thing. you bring in a 3rd party contractor to verify what's going on. it is really funny to me how in the RW you end up w/ people in these situations worried about how the original business partner feels. this isn't personal. you're handing them a check. it isn't about their feelings, it is about the quality of the work.

anyway, i was out of town doing an assessment at a bank a few days back. the CISO of the company had been using a consulting shop for network and security services. they had a vulnerbility identified a year back, and the company stepped in to sell them a product and offer consulting hours to remediate the vuln. i get in there, and i'm looking at the diagrams, and i'm like "why is this thing here again?" it just isn't making sense to me. the more i dig, the funnier things get. it ends up w/ the consulting company refusing to grant me access to review the firewall policies, and a review of a text version of the supposed firewall config reveals that the issue which was supposed to be remediated were, in fact, still present. and beyond that, the scope of the issue had grown over the past year (via direct action from the consulting company).

so i delivered my preliminary report before i jetted out of town, and the CISO looked fairly unhappy.

some people might blame the CISO. shoulda been technically proficient enough to see the issue hadn't been fixed. well, i'd take the position that managing infosec is wayyy different than implementing infosec. i don't want my CISO to know how to implement sec... i want them to manage it, and trust me that i'm doing the job...

and i definately want them to verify the work that's being done...

Monday, February 11, 2008

end point network monitoring?

there is an interesting post over at tao sec that talks about running network security monitoring out at the endpoint, mostly to cover blackout periods where mobile devices are on unknown hostile networks...

i think this is nicely future focused idea. it is clear that the hard borders of our networks are eroding very quickly with the glut of mobile devices and alternate connection technologies.

on the flip side, i struggle to imagine the org of any decent size which is willing to put together the resources to tackle monitoring the network sec logs from all their mobile devices on top of their fixed sites. but i guess rather than being negative, i should see that as an opportunity to build better data analysis tools...

Friday, February 1, 2008

are you alive?

ok... so a friend n colleague of mine pointed out that the yahoo captcha has reportedly been effectively compromised...

as others have said, we've kinda seen this building for a while now.

but, mostly the responses i'm hearing from the sec community have all been centered around building a better captcha to save us from the coming onslaught of spam (and some more xss prolly)...

imho, it is a poor stop-gap to make this the focus of mitigating the issue. we know this is attack and defense. we know the goal-posts move. so stop trying to build a better wall! build a series of redundant walls that force your enemy into overlapping fields of fire. it is accepted practice that we have layers of security in other areas, so why aren't we doing more of it here?

a significant portion of code on web sites is dynamically generated already, so that makes our job easier. the most simple thing we can do is use multiple strong captchas, where a single one is psuedo-randomly picked for a given page render.

then, while you're at it (or mb instead) you can use other methodologies to add layers to determining humanity from script. we can make small transparent things look interesting to scripts. we can make fake forms that human users don't see. we can make invisible iframes too, but use em as tar pits for bots.

the point is that there are a range of simple tests that can be done to attempt to id bots without putting more burden on users or captcha developers.

some pages do this stuff already, but you can still take it further. say we say we have 10 tools in our toolbox. we don't have to walk onto the battlefield in rows and columns and never deviate. we can dynamically utilize between 3-7 tools on a given page render and randomize which tools are picked from the pool. we can use more attack-like tactics to raise the bar right back. we can obfuscate our code too... we can use polymorphic structures to try to confuse the bots... why are we giving our attackers static defenses to target?

anyway, bonus points if u recognize the reference in the title of this post, and a gold star if you get the irony... peace!