Monday, November 24, 2008

more tao props - data visualization

another interesting (imo) tao article.

what jumped out at me is the attempt to take data normally displayed as text and move it into a visual format.

i've spent far too much time kicking this type of idea around (and def not enough time coding solutions: suX0r@me).

back in the day (at a corp which saw no value in log review) i was reviewing boatloads of event logs each morning, and doing 'page-down, page-down, page-down' on the retarded windows messages i hadn't yet parsed out on the syslog server i noticed that i was looking for a visual change in the text patterns scrolling by to get my attention. when the scrolling pattern changed, i'd page up and pay attention. i know this sucks, but the job didn't give me much time, and i figured it was better than nothing.

i ended up coding up a different solution (which i'll finish and release some day, really!) which processed all these impossible to read win log data messages and turned them into useful info (ie: bob had 12,631 failed logins in the last hour).

but the visual cue thing sticks with me to this day. i've really wanted to build a visual scoreboard very very similar to the tao post for use with either log events or with network flows (kinda like bruce potter talks about; pay attn to the outliers).

anyway, i'm not at a gig where i have visibility on big pipes anymore, or bit syslog feeds, so all my dev in this area has halted. hopefully i'll get back to it someday...

Thursday, November 20, 2008

a couple thoughts

first up, and kinda relating to my last post, there is a really interesting blurb over at tao sec.

Who buys stolen business data? Brett Kingstone, founder of Super Vision International ... knows the answer all too well. In 2000, an intruder breached Super Vision's public-facing website and probed deep enough to snatch secrets behind the company's patented fiber-optic technology ... [which] made its way into the hands of a Chinese entrepreneur ... [who] built a new Chinese factory from scratch and began mass marketing low-priced counterfeit lighting fixtures ... "They had an entire clone of our manufacturing facility"

ouch... it matches up w/ reports we've heard over the years, from titan rain to reports of mass EU data theft coming out of china. and it matches up w/ incidents i've seen personally.

anyway, the relation to the last post is just that identifying *what you have* that is valuable, and *where it all resides*, is a pre-req to getting down to securing those assets.


also, i've done some waf work lately, and came away feeling (like many others) that they don't do much to prevent application layer attacks.

i came across a sans diary entry (linkage lost) that gave me pause tho. in my experience fighting wafs, there was a lot of trial and error finding ways around them, and those bypasses varied depending on which waf i was fighting.

until attackers make smarter bots that attempt a variety of app level attack vectors, waf's might offer worthwhile protections against asprox-like 'dumb' bot attacks.

attackers sitting at a keyboard tho? not holding my breath there ;)

Sunday, November 2, 2008


to quote many good teachers: "keep it simple stupid"

while we're on that subject, i am often stupid... ;)


ever hear something like: who is really going to attack it? there isn't anything valuable there

it sounds reasonable and risk management-ish because they're allocating limited infosec resources by examining the likelihood of an event. but is the conversation limited to the perception of value held by the decision makers (who might be middle management for developers, dbas, sysadmins, etc)?

someone can covet something of yours, even if you don't know you have it.

say you have a reasonable security setup. you've got layer 3 segmentation into security zones, good firewall policies segregating traffic between those zones, and you've got a decent waf protecting your your web app dmz. and let's ignore any argument that a compromise could be used to leverage an attack on another system in that security zone, since most non-infosec peeps glaze over at that point.

so you're trying to convince people to take you seriously about fixing those medium-rated host configuration vulns and web app flaws, and they're telling the cio "well, we already fixed the stuff rated high, and our people are stacked up and deadlines are tight. you know those security guys, they jump at their own shadows."

so our attacker alice pokes around. there's a portion of a mundane web app that appears to be vulnerable to reflective xss. but there's no login to steal, and no sensitive information on the site or host. the app doesn't do anything with money or sensitive info.

alice determines that using dangerous values in the suspected param results in a different 200ok page, redir, reset, or whatever. alice probes the suspected vuln and determines that a small subset of xss attacks work past the waf. even when they work, the functionality is very limited because the waf is blocking many potentially abused html elements as well as some scripting syntax.

alice can use either scripting or html to influence user navigation, but is reliant on user interaction to do it. there is no significant limitation to normal characters or the length of her reflecting input.

so she designs a phishing mail or maybe puts together a fake flash advert for the target company. it's all legit looking w/ reasonably syntax and diction, and uses logos and says something like come check our site we make cool widgits. the link contains the xss that alters the contents of the page. the user still sees your legit site, but it has a little "limited time sale" bait or something like that. it's just subtle 'click here to buy now', but they're already kinda interested in you and your widget because they followed the link. and the price is reasonable. not a steal, but definitely on sale.

alice registered and with your look and feel and it says "secure" and "safe" when you click through. it doesn't use ssl when you submit, so some potential customers might dig and notice, but some wouldn't. expect your package within 7 to 10 business days :P

so in the end, there are customers who went to your site and were offered a deal. their money is with alice, and your brand was leveraged to make it happen.

even if your waf picked up the probes, and even if your admins actually investigated, the probing could be done in such a way that the attack vector is not deducible. and alice could wait a while after the probe to perform the attack, and maybe get a couple days before anyone calls your helpdesk with a concern.

there are a lot of highly-effective subtle and simple attacks like this. there are proactive counter-measures that can reduce a lot of risk, but the solutions are often manual and mundane rather than sexy-terminatrix (btw: river tam ftw!) ninja hacker shit.

targeted methodical process and procedure can reduce a lot of risk, and can be implemented and maintained with relatively little manpower cost. think about that the next time you're getting wined and dined by some vendor for some 6 figure plus nifty gadget that is going to keep you safe.

there may be more value in investing in some mundane things (which might also end up improving the org overall ;)