Wednesday, August 27, 2008

curr.state == enveloped

runnin through my feeds this morning, and came across this great cloud post by pdp... it kinda struck a chord, so i'm using it as a launching point for this blurb.

it doesn't really fit the usage of the term, but you're already in the cloud today. your credit card info resides on many different corporate networks. so does your ssn, and your mothers maiden name, and everything about you that allows you to validate and authenticate yourself w/ all of the entities you interact w/ on a day-to-day basis. all of this information is beyond your ability to protect.

so as "the cloud" gets buzzier and buzzier, it makes sense to examine it. don't freak on me and start doing the "nonono, it's a bad security thing, get it away!!!" don't try to stop it, b/c it will flow right around you (and your tower ;) and pass you by.

business and user communities generally don't consult security peeps until the enemies are at the gate, or a shot has already been fired (and probably found a target).

it is frustrating that we have to jump up and down screaming to get noticed sometimes, but in a way the business is practicing risk management by not implementing everything we sec-folk dream up. sometimes it is really tough to accept unmitigated risks that exist within the environments we are charged with protecting, but sometimes we need to act more like actuaries studying mortality tables. when you're looking at your org, you should spend some time looking at risk at 10k meters.

we place faith and trust in many places which can be exploited today, but we feel reasonably safe. can you say that your data is less secure in the cloud than it is on your local lan? really? cause i've seen a fair number of local lans, and nearly all that i've seen have higher exposure to internal threats and dedicated external attackers than i feel comfortable with.

(some) cloud companies are going to design (some) security into their models, and it might be better than what you have today. w/ all your un-audited server shares with default 'everyone' read permissions all over the place, and mobile machines traversing between your lan and hostile networks.

some cloud companies are going to make mistakes and get owned. some data will be disclosed. some cloud companies will learn, and some of those will improve.

i heard once that the us navy seals emphasize the phrase 'it pays to be first' during BUD/S hell-week. well, sometimes it doesn't pay to be first. i remember reading a story about a soldier in bosnia during the initial deployment in the 90s. he was manning a turret in a convoy, and a rock was thrown up from the vehicle in front of him, and he was killed. doing high-speed convoys on rock roads was a new thing for that unit, and there was an unforeseen risk. that really sucks. later convoys implemented counter-measures (drive slower, protect the turret from thrown rocks, etc) to adapt to the risk.

it hurts to be the first guy when you're faced with unidentified risks. but you can't be so afraid you don't operate. so when you're out there, try to be like spike:

It's not about strength or power - you gotta be fluid ... Water can take any form. It drifts without effort one moment then pounds down in a torrent the very next


if your org starts using the cloud, and you perceive that the risks you face are increasing, develop controls and procedures to mitigate the best you can, and roll with it ;)

Wednesday, August 20, 2008

beautiful attack

via zero day: suspected insider help or coercion to get backdoored components installed in atms. the people who installed the hardware were dressed like legit technicians.

this is a beautiful attack because it can be done in broad daylight against targets that people wouldn't normally suspect. if you don't get greedy and you don't slip up, you could run an op like this for a long time before anyone caught on.

the more we push automated systems out to physically autonomous end-points, the more we'll have to worry about similar attacks. i am surprised ATM physical security is relatively single-layered...

Tuesday, August 19, 2008

quick postage

ok, so bh/dc was an interesting experience. tons of good content at bh. didn't do many talks @ dc, but dc is always different than bh.

some more on the flash space... looks like more attacks cropping up.

seems like some interesting stuff may be going on w/ the fedora servers... suck ;)

anyway, i have a boatload of projects i need to be working on...

- http malware analysis
- flash research foo
- noscript foo spawned by hoffman 1
- noscript foo spawned by hoffman 2

and prolly more... also i have to write up my bh notes... anyway, more to come at a later date.

Tuesday, August 5, 2008

flash cookies

this isn't really new, and mb it isn't even worth sharin... anywho, i'd blocked flash-cookies out of my mind until recently.

so here's the deal. you can manage cookies, and clear your privacy setting when you close your browser, but chances are that flash cookies are still being set and maintaining persistence.

worse, i think javascript can access files a client has rights read (not sure on that), and the ~/.adobe and ~/.macromedia directories default to the read bit for others on ubuntu and gentoo from what i see.

so, if i'm right about the js bit, there you have the ability to track web sites visited, and maybe even pull data like usernams and passwords/hashes (pandora) out of flash cookies.

not the end of the world, but mb worth keeping in mind... there seems to be a moz plugin project trying to deal w/ this issue...

raw domino ownage

everyone remember your truth tables and logic gates? :D



domino mother ucker (uckin w/ my shi;)

linkage

i have unfortunate personal interest in this blurb about game vulns... luigi seems to be the only guy tearin this space up (or at least the only one disclosing ;)

the moral here? the attack surface is growing much faster than people generally realize...

01010101010101010101010101010101010101010101

i accidentally lost my link to a better version of this story about a guy who is teaching classes to students on how to create malware... once again, here is my opinion of the av industry:



all your uber-secret mumbo-jumbo hasn't worked so good, so how about we try information sharing and public disclosure?

01010101010101010101010101010101010101010101

sucks when your free security products get you owned... the sad bit here is that i had a decent conversation w/ a bluecoat se who explained the app to me, and imo it was a very nifty concept intended to benefit the tubes at large...

blackhat

flyin out tomorrow... traded places w/ paul, who has contributed far more than i to the tubes... i have (endless;) plans tho!

anywho, i've got way too many things to do before i jump on the plane, and one of those is linkage dequeue foo... ready? :D