Monday, November 25, 2013

Shhh Files, Security Hunters and Malware Writers, Oh My!

I attended Michael Gough and Ian Robertson’s training on Friday, entitled “From Joe to Pro – Finding Malware in Your Environment,” sponsored by our local ISSA Capital of Texas chapter, BSides Austin, Critical Start and SourceFire.  I know from previous software employers  who have paid ransoms that there are dirty secrets called Shhh! in security.  While it isn't publicized, companies pay handsome ransoms to prevent exploits found from being made public.  Government agencies do, too.  In the case of software companies, it’s self preservation.  In the case of government agencies, might be something tasty they want to let play out, for their own reasons.

First, accolades to Michael and Ian for their service to the security community.  They’re active in ISSA, InfraGard, ISACA and Bsides.  They take time out of their busy days to share security intelligence and their findings as security practitioners with the community.  Great blog about security hunters versus gatherers here http://hackerhurricane.blogspot.com/2013/11/like-natives-infosec-needs-to-become.html 
Caveat, IMHO: grassroots security training, effective patch management, compliance efforts and ongoing security monitoring using conventional means might be called “gathering” -  while not sexy, these measures can monitor or alert on  many security issues without drama.  That being said, compliance is, by its nature, not very effective against dynamically changing security attacks.

For sure, malware writers have the attacker’s advantage.  They have test labs equipped with available security software.  They are not inclined to release malware that won’t work against common countermeasures.  They choose when and where to release their malware.  Defenders are at a distinct disadvantage. 


The training was great, and enjoyed by a full house of security professionals!  One of the many perks of living in Austin is the community of security practitioners.

Monday, November 11, 2013

The Mysterious Case of ATM Denial of Service: Help Us Figure Out Who Dunnit


A security-conscious friend of mine recently received an automated call telling him that his ATM card was being cancelled due to a data breach.  The robo call said a new card was in the mail, asked him to monitor the account for suspicious activity and not to use the card – hence the denial of service.

He felt there may be more to the story, being an infosec professional – so he immediately called the bank to get more clues.  He found the keyword to getting intelligent insights from the bank was to use the word “fraud”, which got him to a knowledgeable customer service rep quickly.

The bank’s story:
The bank indicated that they had received a call from VISA specifying the ATM card number “might” have been compromised.  The key thing to understand is that there was apparently a data breach – his ATM number must have been in a breached database, ostensibly a 3rd party database.  Remember, he only used this ATM card at bank-approved ATM machines, not for anything else.  According to the bank, VISA did not tell them which 3rd party or database had been compromised.   

So it’s not a typical data breach, as he had only used the ATM card in question at bank location ATMs.  So how did the ATM number end up in a 3rd party database?  There are a limited number of ways immediately obvious:

  1. The bank sold the ATM number
  2. The bank’s ATM network was compromised and this card number was sold
  3. The fraud alert was a fake by VISA or someone masquerading as VISA, designed to cost the bank money to re-issue the ATM cards and to increase consumer fear that their debit transactions are not safe  
Scenario 1 is highly unlikely as it would be a huge GLBA violation for the bank to sell an ATM number, and the bank is liable for any fraud.

Scenario 2 is also unlikely since there were no fraudulent charges and the alert came from VISA, implying the card was used somewhere

That leaves Scenario 3, which is pretty darned stinky.  VISA does make more money on credit cards than debit cards.  Also, in the words of Sherlock Holmes, "when you have eliminated the impossible, whatever remains, however improbable, must be the truth." 

So you have the clues - what do you think really happened?  Who dunnit?  Is there another explanation?   




Thursday, November 7, 2013

Katie Moussouris - Mother of Microsoft Security Bounties - at ISSA Capital of Texas Chapter meeting


Katie Moussouris, Senior Security Strategist at the Microsoft Security Response Center, and Mother of Microsoft bounty programs, presented at our ISSA Capital of Texas Chapter meeting today.   Katie is refreshingly unabashed, putting a fresh new face and positive attitude on Microsoft and security.  She’s absolutely not a stodgy, arrogant guy in an ugly suit being indignant about being a target. It more looks like she is a part of the solution.

Quick version: Microsoft bounty programs are now paying real and significant dollars to ethical hackers who want to do the right thing, which is to use their talents to let the vendor fix security problems before criminals have the pleasure of exploiting them.  Katie described Black Market, Grey Market and White Market approaches.   Enlightened technology providers understand all three, and provide ways for smart hackers to “do the right thing.”  Microsoft is proving itself to be enlightened on this count, with this bounty program.  Good bounty programs scare out targeted attacks out faster, sparing law-abiding users from being hurt.

A few details:
  • Companies like Microsoft have target dominance.   If nobody cares about your company, you’re not a target.  If you are a market leading target, consider a bounty program.  Such a program will benefit your users in flushing out weaknesses and vulnerabilities before they can hurt your users.
  • Bounty programs will not tend to attract bad guys, because they know they will make more money with the Black Market.  Well of course.  However, most smart programmers are intrinsically good, wanting to solve problems and foil the bad guys – hence bounty programs are just good business.
  • Bounty programs can’t take the place of good security programming practices.  Sure, it’s great ad-hoc penetration testing, but it doesn’t take the place of investing in security.


All of that, plus Katie wore boots in Texas style!


Tuesday, October 29, 2013

10 Interesting Findings at LASCON 2013

·         Hackers need to work on their PR

After LASCON and BlackHat this year, I believe hackers have treated media with disdain, and they are suffering for it.  IMHO, “hackers” is a misused term.  There are engineers who tinker, take things apart and try to break them.  Breaking things like websites, applications and OS’s is the best way to understand them and their vulnerabilities.  There is a completely different category of people who are “criminals” – they want money money money for work they did not do.  It’s just crazy to mix these two groups up, and the media is over-simplifying and doing just that.



Face it, most security problems are your own fault.  When time-to-market and performance eclipse security concerns in application development, and you use programmers without security training, your web presence is likely to suffer.  Where you host usually has very little to do with compromised websites, loss of data and public humiliation.

·        Compliance to laws and standards does not guarantee security

Most security pros I know are disgusted with the influence compliance has on sensible investing toward IT security.  While no one will dispute the PCI-DSS has forced people to provide a modicum of appropriate patching and attention to security, it’s not the whole story.  Compliance investing can lead to missing the big picture – following the rules seems to ensure that you will be able to deal with hackers of the past.  Remember, hackers are a lot faster at evolving than laws and standards, which are notoriously slow to evolve and adapt to reality.

·        Make your apps “secure by default” – don’t give users the opportunity to be Pwned.

IT customers, also known as “users” are just trying to get something done.  They typically have no clue as to the security impacts of clicking through revoked certificates, suggestions at application install and warnings they do not read.  Adam Blank highlighted this in his talk.

·        “Crypto doesn’t solve problems, it just moves them” – Matt Tesauro of Rackspace

How many times has data in motion been the big problem recently?   Not as much as data at rest.  Nobody is arguing the value of encryption, but it’s not the whole solution.

·        Mobile Apps are the New Frontier for Hacking

Dan Kuykendall gave an interesting talk on security for mobile apps.  Interesting thing:  when a user is on a laptop, they can see that HTTPS in their browser.  Mobile user – no such luck.  Compound that with mobile apps with lifetime sessions, no curfew for requests and easy replay with NONCE – it’s surprising we have not seen more problems, so far.  Add to this mess the fact that many users have no idea that indiscriminate use of public wifi “puts it all out there” for anyone with a Pineapple  (for the  princely sum of about $90.)

·        Google Dorking is fun and easy

Phil Purviance gave a fascinating talk at LASCON.  Simply go to www.googleguide.com, and you can learn how to get to (potentially damaging) cached pages the website has forgotten about, among other things that are amazing.  In addition, you can get personal information about others who inadvertently click “view on browser” or “web version” in an email sent to them from prominent companies.  With email incompatibilities, marketers have turned to this option of offering this option in emails – when you click on it, authentication is often assumed.  Oh dear.

·        Rule #1 of Penetration Testing: “Don’t Rub It In”

David Hughes gave a great talk to a packed house on Pen Testing.  He described many tools and techniques, but the thing that stuck with me is that it is most important to “partner” with the customer when doing Pen Testing, if you really want them to fix their problems and become more secure.

·        Mind those Blind Spots!

Robert Hansen gave a great talk on this topic.  Truth is, nobody knows everything – IT is just too complicated for that.  He also had a great quip I captured: “Don’t make the mistake of siding against consumers (and their privacy)”

·        Sure, You are Fine – Why is your website unavailable?

Denial of service is a big problem for everyone, and financials have been hit hard recently.  Pez Zivic of F5 gave a great talk about his research on classifying DOS and DDOS attacks.  The bottom line: Can you still access your website while under attack?” 

 




Tuesday, October 22, 2013

If Security is Theater, Matt Tesauro and OWASP can help prevent Drama

So, as we all know, IT Security involves a lot of useless theater.  What I learned today at LASCON 2013 is that really good defensive programming involves no theater - only hard work on the part of engineers.

I took part in a training today at LASCON 2013 from Matt Tesauro - "OWASP Top 10" relating to what's important in application security.  Matt was an invited speaker and incredibly talented security professional from Rackspace.  Rackspace must be very committed to application security to allow Matt the time to teach this course.

Security Theater involves drama, where identities are lost, people are hurt, company reputations are ruined. OWASP is all about preventing drama.  While there are laws (HIPAA, SB1386, SOX, breach disclosure laws) and standards (PCI, NIST, DISA STIG and Safe Harbor), the bottom line for security is how well applications are coded. No amount of auditing and regulating make an application safe - only good programming practices and diligence do that.

The OWASP Top 10 hasn't changed much recently.  It's about time (IMHO) that more security training is required of programmers - like OWASP's.  Less drama, more insightful programming.

One more observation.  A legion of security professionals I know are not developers.  Even if you're not a coder, take the time out of your busy day to learn something about application security, and become intelligent about the issues programmers face, if you intend to be effective in helping your company achieve better IT security.


Sunday, September 29, 2013

Black Hat - A Little More than Commercialism and Less than Malicious

With General Keith Alexander back in the news, I thought to share some  Black Hat USA 2013 experiences.  As you may recall, the General was heckled during his keynote. The General handled it pretty well, but a four-star general has got to be accustomed to adversity.  Speaking with several attendees, there is some raw emotion about this issue – apparently the General previously denied the NSA Prism program’s existence just last year.
    
I heard some griping about the commercialization of Black Hat, since originally there was no Sponsor Hall, but there were a lot of interesting new technologies to see there.  Personally, I really liked the Sponsor Hall, and vendors who have called me following up were pleased with the leads they got from the show.

The talks were extremely valuable.  Brian Meixell’s talk, “Out of Control: Demonstrating SCADA Device Exploitation”, really represented the spirit of the non-commercial Black Hat.  They had a SCADA setup hooked to a pump attached to a tank of blue fluid, and demonstrated a hack into the system from a laptop nearby.  They showed taking over control, and it was funny, because there was almost a messy overflow when they took control, which apparently the Black Hat people had scolded them not to do.  By the end of the demo, they had Solitaire running on the tiny SCADA screen.  This was a crowd pleaser, with applause breaking out periodically.
Brian Krebs spoke about his recent “SWATting” incident, where FBI came to his house based on a tip by someone who didn’t like him. His talk was entitled “Spy-jacking the Booters” and addressed sites that allow you to easily and affordably purchase a denial of service against websites – using PayPal!.  He also had the concept of NPT – Noob Persistent Threats, done by people who “make script kiddies look smart.” 
Most humorous presentation I saw was Patrick Reidy, from the FBI, “Combating the Insider Threat at the FBI: Real-world Lessons Learned.”  His slides were great – my favorite quote from his preso: ”Every time you say BYOD, God kills a kitten” with a picture of the cutest darned kitten trying to evade space invaders in the grass. 

In his talk, Eric Fiterman former FBI, had an interesting observation: “Antivirus is just ten years too late”.   Saw similar thoughts at the Sponsor Hall, with many vendors featuring their expertise, either built into software or provided as a service, rather than old-hat signature approaches.  His thoughts were around assuming zero trust.  He pointed out that malware can, and will, turn off logging.  He pointed out that one way to look at hackers is that they are just Admins without authorizations.  Admins sort of look like hackers to security professionals.

It was a refreshingly friendly, inviting and educational atmosphere.   The word hacker sounds so bad if you read the press.  Black Hat was full of hackers, but there was more of a sense of discovery and joy in engineering and taking things apart to see how they work than malice.

Friday, September 20, 2013

NSA caught in Affair - FBI becomes the "Good Guy"

Everyone I know in IT security is not at all surprised with the amount of information the NSA is collecting, internationally and domestically.  It is also likely that only the most naive foreign government is surprised.  

If you were having an illicit affair, you would know it, and close friends and frenemies would as well.  Getting "called out" about the affair publicly is a far different thing.  The NSA got caught, and the worldwide press is still having a field day at their expense.  It's embarrassing.

There are some European countries with strict privacy laws, and there are people there who may be nonplussed with the news.  It appears to me that citizens in the USA currently seem to be painfully aware that they are entitled to not-so-much privacy, post 9/11.

Interestingly, I see the FBI positioning themselves as the "good guys" - at Blackhat 2013 the presentations I saw from the FBI were frank, humorous, and sort of endearing.  From a PR standpoint, the NSA is not in good field position, opening it up for the FBI to take a kinder, gentler position.  At last month's ISSA meeting in Austin, three FBI agents were there in the audience, interacting with us.

Maybe this is actually a good state of affairs.   We do want the NSA aggressively preventing terrorism, and the rules go out the window when it comes to terrorism.  It's their mission, ugly though it seems at times.  As for the purview of the FBI, law-abiding US citizens want them chasing down domestic criminals who do harm to us, not spying on our personal lives.  You have to admit, for the average law-abiding citizen, our personal lives are sort of boring in the scheme of things.