Sunday morning I followed up on a case involving a new mass-sploiter. It was interesting - PHP remote file inclusion attack with a hosted exploit that was targeting Windows. Of course, it didn't affect any of the systems it touched on my end, and I decided not to try for the binary. Why not? Because it was Sunday morning, I was at my in-law's house, packing up to go have a late Thanksgiving with my family.
And then it hit me. Get ready. Here it comes. As we head into the holidays, the malware folks are gearing up, hoping to catch us off guard. They've already got the design in place, the new text for socially engineering users and packing & obfuscation tricks to bypass spam filters and AV scanners. They're just waiting. Last winter it was New Year's Eve and then the SuperBowl. The timing of those attacks was no coincidence. This season I expect something similar.
Tuesday, November 27, 2007
Thursday, November 15, 2007
Attack Surfaces and The Impending Headache
If you rewind 6 years, the big security pain point for most companies was the disruption caused by worms like Code Red, nimdA, Slammer, Sasser, Blaster, etc. The common thread that made these worms so effective, and thus disruptive, was widely-deployed, unpatched Microsoft products.
Today, the threat of a catastrophic worm of this type is almost non-existent in most modern networks. Microsoft fixed code, we deployed client firewalls and automated patching, and got serious about the security of Internet-facing services. This is good news, but it's also a mixed bag. The attacks didn't stop, they just changed.
Other attack surfaces - web applications and web browsers - started to get attention. And today, an unpatched exploit for IE is worth more to the bot/adware crowd than one for IIS 6. But lately there's been an upswing in exploits against third-party apps that integrate with web browsers. QuickTime, RealPlayer, Acrobat Reader, Shockwave, have all had remote code execution vulnerabilities discovered - and exploited by the bad guys - in the past few months. And this is exacerbated by the fact that at least half of your QuickTime or RealPlayer installs are from folks that installed iTunes or Rhapsody so they could sync their MP3 player at work, so you don't even know that they're out there.
But here's the real teeth-kicker. There was also a vulnerability in Viewpoint Media Player announced last week. With an exploit circulating. And I'll bet that until you read about it being vulnerable, you had never heard of Viewpoint Media Player and didn't have (and perhaps still don't have) any idea where it's installed throughout your network.
So now I have to defend mobile workstations against attacks on software I don't even know is out there? We have a pretty tight workstation management regimen where I work, and I was able to poll our software management tool for Viewpoint. And sure enough, there are a half-dozen installs.
So the picture this paints for the near future isn't pretty: even more time spent trolling mailing lists and RSS feeds for new vulnerabilities, expensive software to inventory your workstations and manage the software that's installed on them, a politically charged fight to take away local administrator privileges anywhere you can, and developing new ways to triage and mitigate vulnerabilities while you wait for some tiny software shop to fix the vulnerability.
Or, you could just focus on the insider threat. ;-)
Today, the threat of a catastrophic worm of this type is almost non-existent in most modern networks. Microsoft fixed code, we deployed client firewalls and automated patching, and got serious about the security of Internet-facing services. This is good news, but it's also a mixed bag. The attacks didn't stop, they just changed.
Other attack surfaces - web applications and web browsers - started to get attention. And today, an unpatched exploit for IE is worth more to the bot/adware crowd than one for IIS 6. But lately there's been an upswing in exploits against third-party apps that integrate with web browsers. QuickTime, RealPlayer, Acrobat Reader, Shockwave, have all had remote code execution vulnerabilities discovered - and exploited by the bad guys - in the past few months. And this is exacerbated by the fact that at least half of your QuickTime or RealPlayer installs are from folks that installed iTunes or Rhapsody so they could sync their MP3 player at work, so you don't even know that they're out there.
But here's the real teeth-kicker. There was also a vulnerability in Viewpoint Media Player announced last week. With an exploit circulating. And I'll bet that until you read about it being vulnerable, you had never heard of Viewpoint Media Player and didn't have (and perhaps still don't have) any idea where it's installed throughout your network.
So now I have to defend mobile workstations against attacks on software I don't even know is out there? We have a pretty tight workstation management regimen where I work, and I was able to poll our software management tool for Viewpoint. And sure enough, there are a half-dozen installs.
So the picture this paints for the near future isn't pretty: even more time spent trolling mailing lists and RSS feeds for new vulnerabilities, expensive software to inventory your workstations and manage the software that's installed on them, a politically charged fight to take away local administrator privileges anywhere you can, and developing new ways to triage and mitigate vulnerabilities while you wait for some tiny software shop to fix the vulnerability.
Or, you could just focus on the insider threat. ;-)
Fixes For ArcSight Console on Linux
If you're like me and you prefer to run a distro other than CentOS or RedHat Enterprise on your laptop or workstation, you may have run into problems trying to install and run ArcSight Console. So here are a couple of quick hack/fix tips that can get you up and running.
1) The problem: The installer won't run. It gives the following error:
error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
The fix:
sed -i 's/export LD_ASSUME_KERNEL/#xport LD_ASSUME_KERNEL/g' ArcSight-4.0.0.5206.0-Console-Linux.bin
2) The problem: When I try to run the installer or a previously installed console, I get the following error:
java: xcb_xlib.c:50: xcb_xlib_unlock: Assertion `c->xlib.lock' failed.
The fix:
sed -i 's/XINERAMA/FAKEEXTN/g' $HOME/arcsight/Console/current/jre/lib/i386/xawt/libmawt.so
3) The problem: Some windows don't draw correctly or at all when running the nvidia X11 video driver. I run 'arcsight console' and it hangs.
The fix: Switch back to the lame, non-AIGLX nv driver.
The hack: For some reason, if you run Java inside of strace, it works. (I suspect this has to do with Java threading.) Edit the execjava.sh script in the current/bin/scripts directory. The very last line begins with "$JAVA_HOME/bin/java". Put 'strace' at the beginning of that line. Now run 'arcsight console' like you normally would. Using 'strace' generates a lot of overhead, and will slow the console down, but it runs, which is more than you had before. And if you just can't give up compiz's wobbly windows, this may work for you.
1) The problem: The installer won't run. It gives the following error:
error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
The fix:
sed -i 's/export LD_ASSUME_KERNEL/#xport LD_ASSUME_KERNEL/g' ArcSight-4.0.0.5206.0-Console-Linux.bin
2) The problem: When I try to run the installer or a previously installed console, I get the following error:
java: xcb_xlib.c:50: xcb_xlib_unlock: Assertion `c->xlib.lock' failed.
The fix:
sed -i 's/XINERAMA/FAKEEXTN/g' $HOME/arcsight/Console/current/jre/lib/i386/xawt/libmawt.so
3) The problem: Some windows don't draw correctly or at all when running the nvidia X11 video driver. I run 'arcsight console' and it hangs.
The fix: Switch back to the lame, non-AIGLX nv driver.
The hack: For some reason, if you run Java inside of strace, it works. (I suspect this has to do with Java threading.) Edit the execjava.sh script in the current/bin/scripts directory. The very last line begins with "$JAVA_HOME/bin/java". Put 'strace' at the beginning of that line. Now run 'arcsight console' like you normally would. Using 'strace' generates a lot of overhead, and will slow the console down, but it runs, which is more than you had before. And if you just can't give up compiz's wobbly windows, this may work for you.
Friday, November 9, 2007
Snort Turns 9, Marty Talks About 3.0
Snort turns 9 years old this month. It's come a long way and gotten a lot bigger:
paul@arnold ~/snort-0.96$ find . -type f |wc -l
21
paul@arnold ~/snort-2.8.0$ find . -type f |wc -l
1311
Today Marty blogged about the changes that Sourcefire has in mind for the 3.0 engine. Some of this is old news, some of it's brand new. Here's what I found to be of specific interest:
Amen. The Snort 2.8.0 binary alone is over 8MB, to say nothing of the dynamic preprocessor libraries. It can be more if you compile in support for MySQL or PostgreSQL. That said, 2.8 and stream5 are significant improvements over their predecessors. If you're still on 2.6 or 2.7, don't wait for 3.0.
I'm glad to hear Marty say this, though frankly it's part of what we've built with the help of Oinkmaster. Trying to get the right rules turned on and looking at the right traffic is tough and requires deep knowledge of your network and how to configure your IDS. And it takes time. But it's worth it, and it is definitely the hardest part of tuning out false positives (and avoiding overtuning so that you miss real attacks). Anything Sourcefire can do to make this process more intuitive is a good thing in my book
Sure. I think that we started seeing this with 2.6 and the dynamic preprocessors. I would like to add that I think Snort is due for an update or replacement for barnyard. Something more flexible and more easily integrated (and with better documentation) would be nice.
He's talking about Lua. I like the idea of an interactive shell interface to the engine. Honestly, though, I'm not sure what I'd do with it.
If you wouldn't hate me for it, I'd embed dancing hamsters or puppies or something equally ridiculous as a symbol of my elation. In other words, it's about effin time. Snort being single-thread only is, in my opinion, the single greatest scalability barrier that it has.
And last but not least, what may be a second I-told-you-so for me this week. I don't know, but I suspect the purpose of this API is to eliminate the need for a LibPcap-bound network interface and open up the possible ways Snort can acquire network data like, say, disk?
paul@arnold ~/snort-0.96$ find . -type f |wc -l
21
paul@arnold ~/snort-2.8.0$ find . -type f |wc -l
1311
Today Marty blogged about the changes that Sourcefire has in mind for the 3.0 engine. Some of this is old news, some of it's brand new. Here's what I found to be of specific interest:
0) Rewrite the core frameworks for Snort from the ground up to clean out code base cruft and leverage external libraries where possible to [...] effectively reduce the size and complexity of the code base making it easier to extend and ultimately lending the security benefits of a smaller code base.
Amen. The Snort 2.8.0 binary alone is over 8MB, to say nothing of the dynamic preprocessor libraries. It can be more if you compile in support for MySQL or PostgreSQL. That said, 2.8 and stream5 are significant improvements over their predecessors. If you're still on 2.6 or 2.7, don't wait for 3.0.
1) Build an "contextually aware engine", one that has the ability to understand what it's defending built around the concept of network context. Network context is essentially data about the environment that is being defended by Snort, the composition of the hosts in the network as well as the local network composition.
I'm glad to hear Marty say this, though frankly it's part of what we've built with the help of Oinkmaster. Trying to get the right rules turned on and looking at the right traffic is tough and requires deep knowledge of your network and how to configure your IDS. And it takes time. But it's worth it, and it is definitely the hardest part of tuning out false positives (and avoiding overtuning so that you miss real attacks). Anything Sourcefire can do to make this process more intuitive is a good thing in my book
2) Abstract and compartmentalize Snort's subsystems to make components "separable".
Sure. I think that we started seeing this with 2.6 and the dynamic preprocessors. I would like to add that I think Snort is due for an update or replacement for barnyard. Something more flexible and more easily integrated (and with better documentation) would be nice.
4) Add an interactive shell to the system so that it may be more fully orchestrated at runtime.
He's talking about Lua. I like the idea of an interactive shell interface to the engine. Honestly, though, I'm not sure what I'd do with it.
5) Multithread the engine to take better advantage of multi-core platforms that are standard today.
If you wouldn't hate me for it, I'd embed dancing hamsters or puppies or something equally ridiculous as a symbol of my elation. In other words, it's about effin time. Snort being single-thread only is, in my opinion, the single greatest scalability barrier that it has.
Data Source API - An abstraction API between the facilities provided by the data source and the rest of the Snort 3.0 software framework. This API exists to that the rest of Snort 3.0 can work without caring whether the Data Source is implemented as hardware or software.
And last but not least, what may be a second I-told-you-so for me this week. I don't know, but I suspect the purpose of this API is to eliminate the need for a LibPcap-bound network interface and open up the possible ways Snort can acquire network data like, say, disk?
Thursday, November 8, 2007
Targeted Phishing, You Don't Say?
I hate to say it... Oh, who am I kidding? I LOVE to say, "I told you so!" This is actually pretty neat, so long as you're not salesforce.com.
(Via Schneier) Salesforce.com admitted today that one of their employees was the victim of targeted phishing. And that once his account was compromised, it was used to get lists of e-mail addresses for... wait for it... more targeted phishing attacks!
So as targeted phishing attacks pass from the realm of pen-testers-who-can't-use-debuggers to actual criminals, the anti-spam/phishing segment is going to have to catch up. And it's not going to be easy, because traditionally collecting spam and phishing e-mails has been remarkably easy. But once the attacks become targeted, it's exponentially harder to get samples before the damage is done.
Enter the custom-tailored anti-phishing service. Gonna call those VC folks back.
(Via Schneier) Salesforce.com admitted today that one of their employees was the victim of targeted phishing. And that once his account was compromised, it was used to get lists of e-mail addresses for... wait for it... more targeted phishing attacks!
So as targeted phishing attacks pass from the realm of pen-testers-who-can't-use-debuggers to actual criminals, the anti-spam/phishing segment is going to have to catch up. And it's not going to be easy, because traditionally collecting spam and phishing e-mails has been remarkably easy. But once the attacks become targeted, it's exponentially harder to get samples before the damage is done.
Enter the custom-tailored anti-phishing service. Gonna call those VC folks back.
Wednesday, November 7, 2007
And They Were All Yellow
Symantec bought Vontu. Never heard of Vontu? They are an established player in the data-leakage security niche. Primarily deployed on networks that fall under the purview of the Gramm-Leach-Bliley Act, Vontu's flagship product works like an IPS, but instead of loading it up with vulnerability signatures, you load it up with keywords and snippets of your confidential data.
For $350M, this is is a gamble for Symantec for a couple of reasons. First, the expansion of the data-leakage market is very much a question-mark. Sure Vontu's poised to dominate if it does blow up, especially with Symantec's Panama Canal of a channel. But Symantec is a desktop client company. They've killed every network device they've ever acquired, and some that they built themselves. Sure Vontu has a desktop client as well, but it's not their leader.
What I find most interesting about this acquisition is that Symantec is known for paying pennies for secondary niche players and trying to pump them on their brand recognition against primary niche players. Their whole product strategy can be summed up as "one brand, one vendor." In this case, they bought one of the best-of-breed players in the niche, if not the top dog. And they paid good money for them, too. Recent acquisitions like Altiris and Revivio were more of the old Symantec trying to find a bargain buy into a new market. So the Vontu purchase leaves me confused. I would've expected Symantec to buy somebody like Tizor and stay away from Vontu and PortAuthority.
By the way, there's an excellent Forrester paper on Symantec's ongoing shopping spree. If you work for a Forrester subscriber, or own a lot of Symantec stock, it's worth reading. (I am the former and, at not the latter, for what that's worth.) If you're keeping track, Symantec has acquired no fewer than 31 companies since 2000.
Also, Vontu co-founder (and recent multimillionaire!) Joseph Ansanelli testified before a House subcommittee about combating identity fraud. (PDF Link) Another interesting read, but when you contrast this with the recent ID theft study that Bruce Schneier blogged about today, you have to wonder if there's a decent sales line for these products beyond GLBA compliance.
For $350M, this is is a gamble for Symantec for a couple of reasons. First, the expansion of the data-leakage market is very much a question-mark. Sure Vontu's poised to dominate if it does blow up, especially with Symantec's Panama Canal of a channel. But Symantec is a desktop client company. They've killed every network device they've ever acquired, and some that they built themselves. Sure Vontu has a desktop client as well, but it's not their leader.
What I find most interesting about this acquisition is that Symantec is known for paying pennies for secondary niche players and trying to pump them on their brand recognition against primary niche players. Their whole product strategy can be summed up as "one brand, one vendor." In this case, they bought one of the best-of-breed players in the niche, if not the top dog. And they paid good money for them, too. Recent acquisitions like Altiris and Revivio were more of the old Symantec trying to find a bargain buy into a new market. So the Vontu purchase leaves me confused. I would've expected Symantec to buy somebody like Tizor and stay away from Vontu and PortAuthority.
By the way, there's an excellent Forrester paper on Symantec's ongoing shopping spree. If you work for a Forrester subscriber, or own a lot of Symantec stock, it's worth reading. (I am the former and, at not the latter, for what that's worth.) If you're keeping track, Symantec has acquired no fewer than 31 companies since 2000.
Also, Vontu co-founder (and recent multimillionaire!) Joseph Ansanelli testified before a House subcommittee about combating identity fraud. (PDF Link) Another interesting read, but when you contrast this with the recent ID theft study that Bruce Schneier blogged about today, you have to wonder if there's a decent sales line for these products beyond GLBA compliance.
Tuesday, November 6, 2007
Am I Not In On The Joke?
So I just found Security Mike's Guide to Internet Security.
You have to understand that I respect the hell out of Mike Rothman. Which is why I am choosing to believe that this is an elaborate tongue-in-cheek joke that I'm just not able to extract the punchline from.
This quote in particular has me convinced that this is some sort of hoax:
That something is selling a 6-month website subscription for $37. So either I have just seen the Lone Ranger take a bribe and slap an old lady, or I am still not in on the joke. Mike's selling a book for the mom set on how to secure their own computer? Because paying for McAfee is some sort of injustice?
I teach a course very similar to Mike's book through my employer's corporate training program. If you would like a copy, e-mail me, and I will send you the slide deck. Steal my bullet points. Pass my advice around. I don't want any money. If you feel like giving me credit, that's cool. The people this is really for don't know who I am anyway.
Be free, common sense, be free!
I'll just leave you with this:
It conjures images of clowns and ponies and free hot dogs at a used car lot.
You have to understand that I respect the hell out of Mike Rothman. Which is why I am choosing to believe that this is an elaborate tongue-in-cheek joke that I'm just not able to extract the punchline from.
This quote in particular has me convinced that this is some sort of hoax:
"You certainly can pay your local Geek to come over and configure your computer and sell you lots of software you have no idea about. Bring your checkbook – it’s going to run you hundreds You can do it yourself of dollars. And you get to pay every year to renew your software as well. Don't forget the Geeks get paid when you buy software as well, so they have an interest in loading you up with stuff you don't need.
It’s not right. So I decided to do something about it."
That something is selling a 6-month website subscription for $37. So either I have just seen the Lone Ranger take a bribe and slap an old lady, or I am still not in on the joke. Mike's selling a book for the mom set on how to secure their own computer? Because paying for McAfee is some sort of injustice?
I teach a course very similar to Mike's book through my employer's corporate training program. If you would like a copy, e-mail me, and I will send you the slide deck. Steal my bullet points. Pass my advice around. I don't want any money. If you feel like giving me credit, that's cool. The people this is really for don't know who I am anyway.
Be free, common sense, be free!
I'll just leave you with this:
"Best of all, there is NO RISK to you. You don’t like Security Mike's Guide? Get your money back. [...] Regardless of the reason, if you are unhappy – I will send your money back. That’s right. If you aren’t happy, you can have your money back. I’ll wish you good luck because Security Mike’s Guide isn’t for everyone. It’s all good."
It conjures images of clowns and ponies and free hot dogs at a used car lot.
Monday, November 5, 2007
For the Paranoid
Been too busy to blog lately. Got a few things half-ready to post. Just need to find the time, motivation, and answers to get them posted. So this is just a proof-of-life post, I guess.
This story from Radar Mag made my day, sort of. It's an excellent story, but if you're paranoid like me, it may take you some place you'd rather not go. Maybe I should move my blog to typepad. :-)
This story from Radar Mag made my day, sort of. It's an excellent story, but if you're paranoid like me, it may take you some place you'd rather not go. Maybe I should move my blog to typepad. :-)