New Rules

After many months off, I'm jumping back in to the blog with both feet. Mostly in a Howard Beale sort of way. Didja miss me? Anyway, stealing a meme from Bill Maher, I've got something to say to security vendors. Without further ado, New Rules.

If you are a vendor, especially a vendor of security products or services, these are the rules I expect your product to follow. These are common sense, and I feel a little condescending telling them to you. But if recent experience is any indicator, you need to hear them. And you deserve the condescension.

1. Do not store credentials in clear text! Seriously, you can get free libraries to hash credentials or store them in a secure container file that requires a secret key. There's no reason for a password to be in a text file or HKLM Registry key. None.
2. Do not hardcode passwords! If I can't change every single password associated with your product simply and easily, then there should be a law that strips all of your developers of any degree they hold and forces them to go back to college and learn file IO methods.
3. Do not use HTTP/Telnet/FTP/LDAP for authentication! Seriously, more than enough free libraries for SSH, TLS, IPSec exist. Use one. Or buy the one you really like. It beats having to issue a "patch" to sell to government and regulated industry.
4. Don't run as root/SYSTEM/sa/DBA! Your product is not so special that it actually needs administrative privileges to run on the server or database that hosts it. Unless by "special" you mean "coded by lazy fools that don't want to define even the most basic security model." OK, then it is special.
5. Don't use broken crypto algorithms! Sorry, but if you are shipping new product that uses 56-bit DES, RC4, or ROT13, please see rule #3.
6. Don't send passwords in e-mail! Remote password reset is easy enough to do properly, there's no reason to be lazy and just send me my password if I forget it. Also, it means you're breaking rule #1. Busted.
   

There are no excuses for any product to not follow these rules, but especially security/compliance products. Gee, thanks. I just spent six figures on a product to help me manage or achieve compliance, and the product itself can't comply with the regulation I'm trying to address.

Evidence FAIL

So, first read this .

John Dozier, self-described "SuperLawyer" of the Internet, thinks you kids and your DefCon are a bunch of punks. Stay off his lawn.

Of course, I disagree. DefCon used to be a hacker conference by hackers for hackers. Now it's the BlackHat afterparty-slash-olympics. But what it isn't is a bunch of criminals. Sure, there's some mischief, and a few folks even break the rules. But everyone I know who attended DefCon this year (and that number is solidly in the double-digits), works in InfoSec, and uses what they learn at DefCon in their professional lives.

Compelling as my argument may fail to be to people like Mr. Dozier, his argument is weaker than mine. Let's dissect, shall we:

Defcon ... began August 8 and it looks like the hackers sitting in the audience and participating in the hacking competitions spent two days trying to hack into the Dozier Internet Law website using SQL Injection Attacks, Mambo Exploits, encoded cross site scripting attempts, shared ciphers overflow attempts, and the like.

The favorite and most common ISP access was from Vietnam and China, with Beijing the host and doorway of the Olympic Games as well as many, many hackers.

OK, so what we have here is a number of known, old, web attacks from China against his web server that coincide with the timing of DefCon. And aside from the timing, there's nothing to implicate anybody having anything to do with DefCon. My guess is that this wasn't even an actual human being at all, but rather an ASPROX scan that Dozier's IDS detected.

The graph above shows what these hackers do. They come to Vegas to learn how to hack into systems and create havoc.

The funny thing about this is that, with the notable exception of Dan Kaminsky's DNS attacks, there aren't IDS signatures for the research presented at DefCon. So any attacks that did come as a result of learning done at DefCon wouldn't be on that graph.

The frustrated perpetrators (they never got access) were sitting in the Riviera Hotel ballrooms, I suspect...

First, the key word there is suspect. Mr. Dozier has zero evidence that these IDS alerts had anything to do with DefCon. None. Not a shred. Second, they would've gotten in.

Going after law firm websites and administration areas that contain attorney/client protected communications and documentation, and even court ordered "sealed" files, is a direct attack on the integrity of the judicial process and the judiciary

If you have documents that are sealed by a court order stored on your company website, then you have problems. Most federal district courts won't allow you to electronically file with the court to have a document "sealed" if that document must be or otherwise is included in the filing. Those general orders aren't accidents. It's a recognition on the part of the judiciary that electronic documents are inherently less secure. But I digress.

Many attendees commit criminal acts while in attendance in organized war games.

This is simply untrue. There are organized wargames, conducted on an air-gapped network off the Internet or any other network. This is perfectly legal. The US Air Force has staffed a team in the past. By the way, congratulations to Chris Eagle and sk3wl0fr00t on their CTF win. They bested two-time champs 1@stplace, who are some of the smartest people I know, and who are all highly ethical InfoSec professionals.

Others commit criminal acts as they learn the tools of the trade in the very ballroom during speaker presentations. They hack into banks, into personal computers, into businesses, into government agencies, and steal private information, cost businesses billions of dollars annually, and ruin the financial well-being and impair the emotional stability of individuals all across our country.

This is sensational and unsubstantiated. Or as a judge would describe it, hearsay.

This is the mob of the 21st century;

No, John, this is the mob of the 21st century.

The only "security researchers" in attendance, I suspect, are the good guys.

Yes, the security researchers at DefCon are the good guys. And I promise you that the DoD and DoJ agree, as many of the speakers, attendees, volunteers, and contestants at DefCon are paid consultants to these organizations.

UPDATE: John Sawyer has an excellent write-up on this issue and on this year's DefCon (unlike John Dozier, he was actually there) on his blog, Evil Bits, over at Dark Reading. Go read.

Coffee Shop Warfare

It seems like I can't go to a coffee shop, conference center, or bar these days without some jackass on the network abusing the bandwidth. Running MMO games, BitTorrent, gnutella, or even just a large FTP/HTTP download will saturate the wireless access point, let alone the modest DSL line it's connected to, rendering it unusable for the other patrons there. This is just plain rude. And since the barrista can make a mean caramel cappucino, but doesn't have the ability to blacklist your MAC on the AP (which I realize isn't a very effective control, but hey - maybe you'd get the message then?), we're all stuck to suffer.

And I wouldn't do anything hostile on a public network. But in the name of network self-defense, there are a couple of tools you might want to take with you to the coffee shop next time.

• Wireshark - The quickest, easiest way to identify the abuser's MAC/IP is with a sniffer like Wireshark, tcpdump, or iptraf.

• Snort - Snort with flexresp2 enabled, bound to your wireless interface, and the p2p.rules set enabled and modified with "resp:reset_both,icmp_host" is an effective deterrent for people using P2P file-sharing software.

• Ettercap - More severe than Snort, you can use Ettercap to perform ARP poisoning and essentially blackhole the client(s) of your choice by MAC address. You could also use this tool to sniff unencrypted traffic between clients and the AP (and points beyond). But you wouldn't do this. It would be uncivilized, and possibly illegal.

There are lots of other wireless tools out there that have some application here, but many of them either go to far to be civil (Void11) or legal (Hotspotter), so I don't recommend them. For that matter, what I do recommend is getting your own EVDO card. Then you don't have to put up with rude WiFi users in the first place.

TJX vs. CrYpTiC_MauleR

rsnake reported today that TJX has fired an employee who goes by the handle CrYpTiC_MauleR. He was apparently fired for disparaging remarks he left on a sla.ckers.org message board.

So who is CrYpTiC_MauleR and why should you care? He's some college kid working a retail job at TJ Maxx, and you probably shouldn't. Unless you're TJX, that is. And not for the reasons you might think.

Sure, this kind of thing is bad PR for TJX coming and going. And sure, it's disloyal and immature of an employee to trash his employer to the public, especially when it exposes their security vulnerabilities to self-proclaimed hackers. So you might think that firing this guy is an appropriate response. And maybe it is. But I don't think so.

Now, don't get me wrong, I don't believe for a second that this guy is an actual whistleblower. PCI's not a law, and rsnake isn't a regulatory or law-enforcement agency (that I know of), so what he did doesn't even approach whistleblower status. But his now-public firing is going to have a stifling effect on employees, both retail and corporate. And that is a failure of TJX's security program (one of many if you believe CrYpTiC_MauleR).

The thing is, a company needs to have a method of intaking security concerns from staff, and whatever that looks like needs to be communicated to staff, especially from company leadership, like the loss prevention exec that CrYpTiC_MauleR claims to have spoken to. Firing this kid for airing his concerns to the only people that would listen to him is certainly TJX's perrogative and not at all unexpected, really. But it also points out that the culture that allowed the initial breach to occur in the first place hasn't changed.

I've suggested before that TJX could stand to purge themselves. This only reinforces that opinion. If TJX can't change its overall security culture, it's only a matter of months before they're all over the news again.

Useless Statistics Returns!

Breaking News: Information Security is still not a science and vendors still suck at statistics.

What? You already knew that? Well, somebody forgot to tell WhiteHat. You'd think they might learn from their competitor's mistakes.

I'll save you 4 of the 5 minutes necessary to read the whole thing by summarizing WhiteHat's press-release-posing-as-a-study for you. They collected vulnerability statistics from an automated scanning tool that they sell (and give away demo use of during their sales cycle). From that, they generated some numbers about what percent of sites had findings, what types of findings were the most common, and what verticals some of the sites' owners are in. Then they let their marketing folks make silly claims based on wild speculation based on inherently flawed data. Anyway, I guess this isn't the first one that WhiteHat has put out there. They've been doing it quarterly for a year. But this is the first time I had a sales guy forward one to me. Can't wait for that follow-up call.

So what's wrong with WhiteHat's "study?" First, they collected data using an automated tool. Anybody that does pen-testing knows that automated tools will generate false positives. And based on my experience - which does not include WhiteHat's product, but does include most of the big name products in the web app scanner space - tests for things like XSS, CSRF, and blind SQL injection are, by their nature, prone to a high rate of false positives. No coincidence, XSS and CSRF top their list of vulnerabilities found by their study.

Second, their data is perhaps even more skewed by the fact that they let customers demo their product during their sales cycle. And if you want to demonstrate value doing pre-sales, you will want to show the customer how the product works when you know there will be results. Enter WebGoat, Hacme Bank, and the like. These are an SE's best friends when doing customer demos because there's nothing worse than scanning the client's web app only to come up with no results. It doesn't show off the product's full capabilities, and it pretty much guarantees that the customer won't buy. Of course, what these do to the "study" is to artificially drive the number of findings up. Way up.

Finally, and perhaps best of all, when Acunetix did this exact same thing last year, it turned into a giant, embarrassing mess. Mostly for Joel Snyder at NetworkWorld. The real killer for me is that I know that Jeremiah Grossman, WhiteHat's CTO and a smart guy, was around for that whole thing.

Oh, well. Maybe we'll luck up and Joel Snyder will give us a repeat performance as well.

But just like last time, the real loser is the infosec practitioner. This kind of "research" muddies the waters. It lacks any rigor or even basic data sampling and normalization methodologies. Hell, they don't even bother to acknowledge the potential skew inherent in their data set. It's not that WhiteHat's number is way off. In fact, I'd say it's probably pretty reasonable. But if they - or if infosec as a professional practice - want to be taken seriously, then they (and we) need to do something more than run a report from their tool for customer=* and hand it to marketing to pass around to trade press.

My Not-So-Secret Glee

When I heard that the only remaining semi-above-board sploit broker is calling it quits, I couldn't help but smile. We still have 3Com and iDefense buying exploits outright. For now. But to see that the "0Day eBay" model is failing for reasons beyond a sudden lack of staff, well that is good news.

I wish Adriel, Simon, and the rest of the folks at Netragard / SNOSoft no ill will whatsoever. I hope their business continues to prosper and that they continue to be positive, active members of the infosec community. That said, I've mentioned my stance on the buying and selling of software vulnerabilities before. There are very real ethical issues here. And, more importantly, there are very real security implications for corporations and end users, who seem to have no representation in the discussion about those ethics.

Bad News for Mac Users

If there is still any doubt at all about the security of Mac OS X, I think we are about to find out. Someone at the Army has resurrected an old idea. They're going to start using more Macs because...

"...fewer attacks have been designed to infiltrate Mac computers, and adding more Macs to the military's computer mix makes it tougher to destabilize a group of military computers with a single attack."

Right. I can't think of a single instance of a vulnerability that affects both Windows and Mac. And Apple have always been proactive and fair when dealing with security researchers, so that's good.

Seriously, though, the real reason Mac's aren't subjected to more drive-by-downloads and malware in general isn't that OS X is significantly more secure than XP or Vista. It's that OS X is still a tiny fraction of the potential pool of malware victims. (An all-time high of 7% as of last month.) It's not worth the money for the botnet czars to develop exploits and bots for OS X. But if somebody really big like, I dunno... the U.S. Army were to deploy Macs in large numbers, then the scale might begin to tip toward profitability.

And then hold on to your blackberry green tea frappuccino, pal. Here it comes.

Am I Not In On The Joke?

So I just found Security Mike's Guide to Internet Security.

You have to understand that I respect the hell out of Mike Rothman. Which is why I am choosing to believe that this is an elaborate tongue-in-cheek joke that I'm just not able to extract the punchline from.

This quote in particular has me convinced that this is some sort of hoax:

"You certainly can pay your local Geek to come over and configure your computer and sell you lots of software you have no idea about. Bring your checkbook – it’s going to run you hundreds You can do it yourself of dollars. And you get to pay every year to renew your software as well. Don't forget the Geeks get paid when you buy software as well, so they have an interest in loading you up with stuff you don't need.

It’s not right. So I decided to do something about it."

That something is selling a 6-month website subscription for $37. So either I have just seen the Lone Ranger take a bribe and slap an old lady, or I am still not in on the joke. Mike's selling a book for the mom set on how to secure their own computer? Because paying for McAfee is some sort of injustice?

I teach a course very similar to Mike's book through my employer's corporate training program. If you would like a copy, e-mail me, and I will send you the slide deck. Steal my bullet points. Pass my advice around. I don't want any money. If you feel like giving me credit, that's cool. The people this is really for don't know who I am anyway.

Be free, common sense, be free!

I'll just leave you with this:

"Best of all, there is NO RISK to you. You don’t like Security Mike's Guide? Get your money back. [...] Regardless of the reason, if you are unhappy – I will send your money back. That’s right. If you aren’t happy, you can have your money back. I’ll wish you good luck because Security Mike’s Guide isn’t for everyone. It’s all good."

It conjures images of clowns and ponies and free hot dogs at a used car lot.

State Penn

I just got this story off of Engadget. It only has a little something to do with security, and my rant even less so.

Penn State has developed a high-security environment for students to take exams in. This is a total waste of technology. The point of this is to ensure that students cannot cheat on tests by using iPods or cell phones to store potential answers to questions. In my day, it was graphing calculators, and in my folks' day it was arms up shirt sleeves.

My point is not that invasive, high-tech monitoring can't work, though it probably can't. My point is that it only allows the continued perception of validity of the worst testing higher education has to offer - memorization. Computers are for data storage. Human minds are for imagination, applying concepts, and learning. None of this can be stored on an iPod. Professors who insist that students learn by regurgitating facts that can be digitized and retrieved with Ctrl-F only serve as a barrier to learning.

Paris Got a Raw Deal

OK, so this might be proof that Paris Hilton's prison sentence was too harsh. An MIVD official (read: high ranking Dutch spy) was sentenced at The Hague for losing some part of an NSA intelligence feed he had access to in his role (as a high ranking Dutch spy). The sentence? 120 hours of community service. So, uh, I guess if you live in Utrecht, keep an eye out for a guy in a tuxedo picking up trash along A27.

TJX: A Glimmer of Clue?

This is the first time I've heard anyone say anything about TJX doing something about their network security posture. But read between the lines here. WEP has been thrown under the bus, they've implemented WPA, but all of these credit card numbers lived in a database.

Is it safe to assume that the sa or sysdba password was different than the WEP key? OK, then maybe WEP wasn't the only problem? It's disingenuous to make WEP the scapegoat for what is a larger security failure. But, hey, at least they're using WPA now. Anybody taking bets as to whether or not it's WPA-PSK?

A Message for Digital Flow

I was following up on some suspicious JavaScript content and found this:

//****** Advanced DHTML Popup Pro Version 2.40.096.201.019, Build: 130 ******
// Copyright (c) Digital Flow Software 2005-2006
// The present javascript code is property of Digital Flow Software.
// This code can only be used inside Internet/Intranet web sites located on *web servers*, as the outcome of a licensed Advanced DHTML Popup application only.
// This code *cannot* be used inside distributable implementations (such as demos, applications or CD-based webs), unless this implementation is licensed with an "Advanced DHTML Popup License for Distributed Applications".
// Any unauthorized use, reverse-engineering, alteration, transmission, transformation, facsimile, or copying of any means (electronic or not) is strictly prohibited and will be prosecuted.
// ***Removal of the present copyright notice is strictly prohibited***

And subsequently, this:

Unblockable popups

The popups that are created with Advanced DHTML Popup are not blocked by standard external window blocking software as they are part of the web page and not windows on your visitors desktop.

So, first of all, I would like to say that for as long as your "intellectual" property appears on my network just like a malware dropper, I will continue to reverse engineer its content to verify its intent. Second of all, you guys seem pretty smart. Why couldn't you find real jobs?

TJX Settlement Close?

According to a boston.com article, a tentative settlement has been reached in the TJX breach class-action lawsuit. If the judge accepts the settlement, consumers will get:

1. Up to a $30 voucher per customer who can show time/money spent dealing with the breach (at a rate of $10/hr).
2. 3 years of credit monitoring and identity theft insurance for about 450K customers who had lots of info (including DL# and SSN) stolen.
3. Marshalls and TJ Max will hold a 3-day "Customer Appreciation 15% Off Sale." (I kid you not!)
   

Unfortunately, the settlement lets TJX avoid admitting breach of contract and negligence with regard to its data security practices. Also apparently missing from the settlement is any commitment from TJX to improve security. Of course, with the settlement costing an estimated $256M, we can hope that the board and execs at TJX have seen the light on security spending.

The Great NAC Robbery

From Dark Reading's "News Feed" (aka industry press release feed) comes a purported success story about an intermediate school district in Texas that has implemented Mirage Networks' NAC. Reading stuff like this makes me ill. There are several components of this scenario that are offensive to my sensibilities and common sense in general.

First, K-12 schools have very real, very unique security challenges. (I speak from experience. My early work with firewalls, content management, security monitoring, incident response, forensics, and working with law enforcement all came from working for a school district for the latter half of the 1990's.) But rogue devices (the problem that NAC should be positioned to solve) shouldn't be one of them, at least not a big one. Simple network design and segmentation should cut down on accidental cross-over from student/library/commons networks, and then physical supervision (you know, teachers, librarians, parapros, etc.) can be used to cut down on students intentionally plugging in laptops in classrooms or offices.

Secondly, NAC is the wrong fix for Sasser. Patching a 4-year old vulnerability is the right fix. If your patch cycle is over 4 years, then you have no patch cycle, and with or without NAC, you've lost. Using NAC to 'ban' all of your unpatched workstations from the internal network may save your unpatched servers, but kicking out legitimate users on internal machines is still an overall loser for IT. Functionally and politically, this can't be sustained.

Thirdly, school money is taxpayer money. School administrators - especially facilities and IT folks - hate to be reminded of it, but it's true. This is a nice win for the account manager at Mirage that pulled it off. K-12's can be tricky to sell into, and they typically have tight budgets with limited or no dedicated spending for security. An ISD like Round Rock will actually encompass several local school districts, and RRISD itself consists of over 40 schools, plus admin offices and bus garages. At that size, there's pretty much no way this wasn't at least a 6-figure expenditure. And for what? A temporary fix for a problem that could've been solved with $20K of server hardware and WSUS? If I lived in Round Rock, TX, you can be sure I'd be at the next board meeting asking questions.

Playing Catch-Up

Did you know that it's possible to overwhelm a Treo be simply ignoring your e-mail for two weeks? :-) Now you do.

OK, first of all I want to get some thank-you's out. Thank you to Jeff Moss and the Black Hat staff for putting on an amazing conference. Thank you to OWASP, Microsoft, and especially Don Donzal and EthicalHacker.net for buying the bar. Thanks (and congrats!) to the 1@stPlace guys for hanging out Thursday night. It was great to meet you all and nice job on your 2nd consecutive win! Oh, and thank you to Dateline producer Michelle Madigan for sending me home from Vegas with a story I could tell to people that don't grok '%48%45%58'.

And second, here are my pictures. All taken with my Treo, so they pretty much look horrible.




David Litchfield teaching "Breakable: ..."



(L-R) Peter Ferrie, Tom Ptacek, Nate Lawson, Dino Dai Zovi



Free Shirts !
(Note the rare and prized ArcSight Ace & Gary shirt)



Alexander Tereshkin, Joanna Rutkowska



Pwnies!



Bruce Schneier



Tim und das Grosse Bier
( @ Hofbrauhaus - thanks again Don Donzal!)



CTF !@#!!
(Kenshoto ninjas surrounded me and demanded the SD card, but I escaped)



Lockpicking races



Priest kicking folks out of Bruce Potter's very popular talk



S'mores rule!
(Vegas to Pentwater was opposite ends of the spectrum, but just what I needed!)

Penny Arcade So Closely Resembles My Life It's a Little Freaky

You know, they hire real medical examiners and forensics technicians to consult on movies and TV shows (like CSI) to achieve a hopefully-fascinating level of realism. Which is why I sometimes wonder if Hollywood just has an exceedingly low opinion of infosec, because they clearly don't hire infosec consultants.

On Wireless Hackers and The Law (Again)

This week, an appeals court upheld the sentence of one of the Lowe's hackers. He got 9 years, the longest sentence given to a hacker in the U.S. ever!

In case you don't already know, two hackers broke into a Detroit Lowe's store via open WiFi access point and were attempting to steal credit card numbers from Lowe's transactions. By all accounts, this attack would have worked but for the fact that the 2 men were arrested before they could return to collect the card numbers.

As I read this, it put into perspective for me just how completely dumb the arrest of Sam Peterson (also in Michigan) was.

ISN Funny

I <3 The Onion. But I especially love it when they show up mixed in with the "real news."

http://www.infosecnews.org/pipermail/isn/2007-June/014889.html

TJX CEO Apology

Apparently TJX CEO Carol Meyrowitz (who, it bears mentioning, was not CEO at the time that the breach occurred) apologized for The Biggest Data Breach Ever at a shareholder meeting earlier this week. Unfortunately the entirety of the meeting is not online yet, but boston.com quotes her as saying,

"But we had locks."

I'm forced to assume that this is a metaphor, not meant to be taken literally. You know, cuz shareholders are dumb and don't understand words like "authentication" or "encryption." So reading between the lines here, Meyrowitz is contradicting what a well-respected Gartner source has said about the lack of wireless security.

I hope Ms. Meyrowitz isn't offended if I don't take her word for it. Either way, it's what she apparently didn't say that bothers me. There seems to have been no talk of what steps TJX has taken or how much they've invested in improving IT security at TJX in order to reduce the risk of a second breach. I'm no stock trader, but uh...

Recommendation: Strong Sell

Un-believ-able

It's hack-ish (not meaning hacker-ish) to pick on Oracle for their "unbreakable" branding claim. But until Oracle gets to a place where they can fix buffer overflows in less than a year and XSS in less than 4 years, they really need to put a muzzle on their people when it comes to talking publicly about security.

I say this because the un-flapp-able Mary Ann Davidson gave the keynote at AusCERT 2007 and - I kid you not - compared software to US Marines. I don't think I disagree with the spirit of Mary Ann's point in her speech, but the irony of the situation is overwhelming. Seriously, either she went rogue and hoped nobody would notice, or Oracle needs new PR people. Someone should've talked her out of this.

Oracle is easily the least cooperative of the big vendors when it comes to security. Sure, Apple's been vilified recently for playing hardball with security researchers, but at least they release patches! Oracle's name is mud with researchers and bug reporters - just ask David Litchfield. (PDF link) And given their reputation, one they've spent the past decade earning, Mary Ann Davidson saying,

"Why do we need all these [security] products in the first place? Because software can't defend itself."

or,

"You are going to have to have some kind of proof that you paid attention in development - even to the level of training people and what kind of software lifecycle you have."

...is somewhere between hilarious and offensive. Before Oracle officers go around touting vendor-driven defenses, perhaps they ought to spend a little time talking about investing in software QA & bugfix processes and resources. This argument is already over. Microsoft has spent the past 5 years showing the world that you can solve security problems by throwing money at them. So Oracle, it's time to take your own medicine and step up.

In other words, it's time for Oracle to clean up their own backyard and Mary Ann Davidson needs to get the hell off my porch.