Bejtlich and IPSxIDS

Richard Bejtlich is one of the best sources of information and reasonable opinions about intrusion detection. He wrote a very precise argument about why Detection is important even when you can use Prevention. I'll quote him here:

"traffic inspection is best used at boundaries between trusted systems. Enforcement systems make sense at boundaries between trusted and untrusted systems."

Very good!

Banks and authentication challenges

Daniel Blum wrote a incredibly good article today on Network World. He said something very sharp on the matter of additional security measures that the banks need to deploy:

"From a business perspective, banks are much less concerned about losses to fraud than they are about scaring away customers. To them, online banking represents a Mecca of huge cost savings and revenue opportunities. The technical solutions that win out for them will be those that offer unobtrusive but effective protection."

The savings from Internet Banking usage growth are huge. Should the banks risk this savings by sending tokens, password cards to their customers? What if they agree on paying the losses for their clients instead of using additional security controls? Isn't it a valid way of dealing with that risk? Isn't it the way that credit card companies are taking?

Sometimes security people focus too much on vulnerability/control and forget about risk management.

Sun Ray Security

Recently I was evaluating the Thin Client solution from Sun, "Sun Ray", and one thing caught my attention.

The Sun Ray clients run only a firmware, without OS. The firmware is responsible for getting the initial settings from a DHCP server, incluing the address of the Sun Ray Server. Once the client establishes a conversation with the Server it uses a X11 emulation over UDP, using a Sun protocol called ALP (Appliance Link Protocol). If there is a firmware upgrade the client downloads it from the server when powering up.

Hey! So the client receives the information about who is the Server from a DHCP response. Yes, and this is server is the one who sends the new firmware. Then, if anyone can forge a DHCP response, he can then send a contaminated firmware to the client. Is anyone looking at the Sun Ray firmware characteristics to find how much one can hack with it? The clients has a syslog reporting feature, for example. What if someone alters the firmware in a manner that the client sends the keystrokes to a syslog server? Wow.

Well, I think that network based (switches features) controls can be used to avoid those bogus DHCP responses, but I really don't know if there is such granularity today.

And what if my network uses 802.1X authentication? Obviously it will need to be disabled where the Sun Rays are being used. Bad thing. However, I think the risk from this issue can be truly reduced by ACLs and PVLANs.

One of the sales arguments from this solutions is security. Using Java Cards for logon and so on. But what about these network level issues? If the device does not havr any static setting (another sales argument), even a server identity check is hard to be implemented. Perhaps using some kind of challenge-response with the Java Cards, I don't really know if it's possible.

Well, these are some of my random thoughts about this subject. If anyone out there has already made an anlysis on those issues, I'd really like to know the conclusions.

He's back...let's patch!

Apocalypse Knight David Litchfield is back with another bunch of Oracle vulnerabilities. The patches are available to install.

McAfee misses the target

I've just read Richard Bejtlich comment about today's most noisy new, the McAfee report. I read in bloglines when I was looking for more information on the subject to be able to post a comment here. Well, I think Bejtlich said it all.

The real menace of rootkits wouldn't be clearly understood without the disclosure of what the Sony CD's where doing, and security professionals would be shooting at random without information provided by sites like rootkit.com. I don't feel comfortable with some sorts of vulnerability disclosure (like what happened with WMF and those last in IE), but blaming information like rootkit.com is a bit too hard. I'm discussing some thoughts about ways that trojans can steal money from Internet Banking accounts or even how worms can be more destructive or hard to fight. I don't do that to help people that create them, but to help those that need to avoid them. Rootkit.com is the same thing.

However, there is one thing that we need to think about. There is a lot of research like rootkit.com that is presented in a way that seems to be directed to black hats, to be used in a improper way. Even if this way of presenting results seems to be "cool", it won't help on gaining respect from places like Gartner or IDC. If it's security research, let's try to present it like that. Do you know anybody that does (biological) virus research and present its results saying "0wNeD! KiLlInG QuIcK AnD DiRtY!"????

(Does anybody remember that scene from "The Jury", where Dustin Hoffman shows that the gun industry was using "fingerprint proof" as a sales pitch?)

Firefox update

The Infosec industry is really biased when commenting on browsers security issued. Every IE problem causes an avalanche of hatred comments on "MS insecurity". Meanwhile, Firefox has just been update for security issues and almost nobody mentioned it. What was fixed? Was it serious? How long has the issue been known? Hey guys, let's try to face all products with the same critical approach.

The update took me by surprise this weekend. As a security professional, I don't like surprises. MS can took to long to fix a public disclosed vulnerability, but at least they try to keep us informed of their plans and about what they are doing with the software we use.

Certificates Private key in Windows

I've just read something interesting about the way that Windows handles private keys for certificates when you delete a certificate. It keeps the private key in a way that if you install the certificate (yes, the public key only) again later, it will allow you to use the private key (that was kept somewhere [Protected Storage?] in the system). So, if you really want to delete a private key for a certificate in Windows, there is a tool to do that in the link above.

Schneier on VoIP Security

Schneier is so interested in privacy and US Homeland Security matters that his blog has been a bit boring in the last times. Luckily, today he chose a interesting subject, VoIP Security.

It's a very good comparative analysis of the threats from the conventional telephony and those from VoIP. It's the kind of thinking exercise that we always need to do when you change the technology used by some activity. Even without anything new, it's good to read because of its approach. For those who like it, you can find more from the same in his book "Beyond Fear".