Thursday, May 25, 2006

Remote kernel overflow exploit

This is from DailyDave:

"Sinan Eren wrote a working version of GREENAPPLE, a remote kernel
overflow in SMB for Windows 2000. It's available now to Immunity
Partners, but it will be in the June Immunity CANVAS release, which
will be interesting. Essentially it's the first remote kernel overflow
I've ever seen - maybe someone knows of one I don't?"

It's related to the MS05-011 vulnerability. One interesting thing is to see a "remote kernel overflow" in a micro kernel OS, Windows 2000. Linux and its fat kernel has never suffered from something like that. I think that it proves how good concepts can suck with bad implementation and how bad concepts can work with good implementation.

More ammo for Mr. Torvalds against Tanenbaum :-)

Saturday, May 20, 2006

Word exploit in the wild

It's not surprising to see a new exploit for MS Word that is being used to run malicious code. It only confirms my belief that workstations/users are the prefered entry point for attacks. Interner facing servers are usually well protected and monitored. Workstations are usually bad configured, not patched and placed in flat and not monitored internal networks. Yummy!

SANS Internet Storm Center has published some tips for defense against this threat. I'm glad to see honeytokens being proposed. In fact, the whole list is very good. My favorite itens are monitoring and blocking outbound traffic and limiting data on desktops. The kind of security measure that is effective against lots of threats and does not depend on previous knowledge of the attack being used.

More myths debunked

Do you really have to change your password at short periods?

The increase in Rainbow Tables tools, and tables for sale, is showing that changing password would be efficient only if performed daily (or hourly!). Let's make people learn a very good password to avoid dictionary and guessing attacks, them let them use it for more than 30 or 60 days.

Thursday, May 18, 2006

PCI and SOX changes? Less security?

I've recently heard about changes in two security compliance drivers that I deal with, SOX and PCI. There are discussions about changes in SOX to avoid the confusion of which controls are needed (and how they should be implemented), as well as how the audit firms should assess risk in their clients.

PCI Data Standard Requirements will also be subject of changes. There is information about reducing the encryption requirements and increasing application security controls.

In both cases I've seen myself in discussions with peers regarding the changes, if they're good or bad. Man, I did it again! I caught myself advocating less security!

Well, in fact, I'm not defending that companies need less security. I believe that they need the right amount of security to their business. SOX and PCI try to define the minimum requirements (SOX, of course, is much broader, but I'm focusing on the aspects that result in security requirements), but I understand that in some points they push too hard.

SOX, in fact, does not push anything, but it leaves to auditors the decision of which controls are needed. I think it's a bad idea, because auditors usually don't have the sense of "how much of control is enough", but I'll try to comment it again in another time. Let's talk about PCI.

My main concern about PCI is that it seems to have been written to avoid card data to be stolen by "Internet Hackers". When reading PCI requirements you'll notice that it is always trying to protect your "internal network" from "public networks". Ok, we know that this is necessary. But didn't these guys read anything about internal threats?

When you're aiming at online merchants, like Amazon, it probably makes sense to focus on external threats. PCI, however, is also being pushed to issuers, who have thousands of employees that have direct contact with cards and cardholder information. I really think that PCI does not give the same treatment for these threats that it gives to the "threats of the moment", like hackers and viruses.

As a security professional I'm constantly worried about building a holistic security strategy. PCI, as other security standards, should try to push minimum requirements in all directions of information security. As an example, we are always discussing about how companies respond to their incidents. What they should do to reduce damage, communicate people affected, protect evidence and so on. Why PCI doesn't have anything about it? (same for security monitoring, security staff, etc)

And when it tries to help, like when defining firewall policy requirements, it usually dives too much in detail, like defining which protocols should be accepted. I could be more flexible there, just by defining that the organization need to have proper procedures to assess and deploy rules in its firewalls.

Despite the different points of view, I'm happy that discussions about laws and standards are happening. These discussions will help us to improve those documents, allowing us to reach better cost/benefit equations. Too insecure systems do not grow because people don't trust them. Too secure system will also not grow, as they are too inflexible, expensive and hard to use.

Monday, May 15, 2006

Still on Security

One post at cisspforum caught my eye. The author, Scott Pinzon, authorized me to quote him:

"I don't think Information Security is "failing," for the simple reason that today more online commerce is occurring than ever in history, and for the most part, it works.

Info Sec is far from perfect; we all know that. But you can't point at a bunch of bad drivers and say "the national highway system is failing!" or a few crime-ridden cities and say "our entire culture is crashing into chaos!"

The fact that we all go about our day banking, buying, and investing proves that Info Sec is not failing."

His example ou crime-ridden cities is very appropriate for the moment that we are passing through here in Sao Paulo, Brazil.

Friday, May 12, 2006

Chip and PIN fraud

This is the matter of the moment in UK. More problems, this time with Lloyds. This article gives more details about what is really happening.


I love when someone attacks infosec absolute truths! Roger Grimes did that in this article at Info World. I lke the part where he comments security through obscurity:

"The myth would have you believe that security by obscurity has no value and any scheme using it should be immediately discounted. But the fact of the matter is that security by obscurity works, and works well. It is among the least expensive security defenses you can employ. It should be considered a part of anyone’s defense-in-depth plan."

The bold is mine. It's very important to make clear that security through obscurity is not enough alone, but it can be very valuable in a defense in depth strategy. Grimes himself gives a very good example in the article.

Cambridge and security

I haven't heard about it yet, a blog from Cambridge security researchers. It seems to have very good content, in a first glimpse. I'll look closer later.

Security Absurdity - more comments

Noam Eppel wrote an article called "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." that generated a lot of noise in the security community. I decided to comment it in my blog too.

Yes, it's really too-FUD. But it also has great points about things that are real. Some of them are not always seen in other places, and I'm glad to see that a lot of them are things that I'm always reminding people about. Among them are:

- Antivirus signature based approach failure
- Trojans and backdoors targeted to specific companies and organizations
- Trojans that instead of stealing credentials just perform funds transfers after the user is authenticated (I made a PoC presentation about it last year in CNASI). I was impressed to know that there are real cases now
- 0-days usage more common every day
- Internal attacks issues, one of the biggest motivators of my Master Thesis.

He used these facts to drain conclusions, some right, some wrong. I agree that there is a raising complexity that makes security harder to do, that the cost of security controls is too high and that our "best practices" don't solve the problem. This last one is one if my favorites, I have been saying that for some time.

I have a friend that is a penetration test specialist. His approach gives him almost 100% success rate, even in companies that have advanced security programs. What is happening is that the main sources of information for the CSO, with their indications about most common threats, don't drive to solutions that could stop my friend's approach. The "by the book" CSO will be a easy prey for him. I believe that we need a deeper technical discussion about what we understand as "best practices", making them more effective and clear. When I say technical discussion I mean "bring the good guys!", specially those that are not related to off-the-shelf products vendors. Have you ever noticed that the "next biggest threat" always fit in the features description of those just released blackboxes? Wow, so every new threat can be avoided just by buying them?

Back to the article, I think that its qualities end here. The author does not remember that our goal is not reaching 100% security, but the security level needed to allow the business to keep going. The "it just need one single vulnerability to fail entirely" approach is counting that defense in depth and compartmentalization are not being applied. It's over reacting.

I also think that there too much confusion about "home user" security and corporate security. Really, we need to improve a lot the security for the common home user, it's very hard to a non technical person to keep a computer secure. But we can't forget that we are not dealing with a common home appliance, like a refrigerator or a TV. There is two-way communication, there are new features being deployed on the fly, from different sources. The user has part of the responsibility to decide which features and which sources are safe, we can't deny that. If you want to drive your car in the streets you need to know that your safety depends not only on roads conditions or on your car safety features, but also on decisions and skills from you and other drivers. It's the same thing with the Internet and computers in general.

There are still more deaths in car accidents than in wars!! I don't think we are terribly failing in infosec as we are with traffic safety.

There is another thing. Those numbers, increasing losses, frauds, etc. I can't say for sure as I haven't made a extensive research, but I bet that when paper money or checks were introduced, the frauds grown wild. As technology is gradually dominated the ways of making it secure evolve. However, if the technology is evolving too fast there is not time to security to evolve. It's natural. Security systems created 10 years ago are not very effective today, but if we apply their current versions in the same problem for which they were created to, they would be almost perfect.

Let's try to imagine if the weapons evolution had happen in a much more accelerated form. We should have spears, swords 6 months later, muskets in two years and grenades after 3. If we compare this with the infosec we would be trying to make hand shields stronger and complaining that they were not protecting us from the grenades.

So what Augusto, will you do exactly like him and don't tell us how to solve it?

First, it's necessary to make people in charge of security to know about it. They know about products, not about security. They think that they just need to build the lego with firewall+ids+ips+av blocks and everything is ok. We need education, make them skilled professionals. It can be dome with better training (SANS!), certifications, standards, code of practices, etc.

Second, user awareness. Sorry Ranum, but I think it's more than necessary if our intention is to keep the flexibility and power in their hands. We can replace all our cars by a public transportation system and drastically reduce the accidents. Do anybody think this is possible? :-)

Third, product intelligence. Keep running behind attacks, virus and Trojan signatures?? This is too archaic. The advantage of more frauds is that there will be more investments in security technology, bringing more money and brains to the research field too. With this investment we can reduce the gap between state of art technology and the security tools available.

Fourth, demystify insecurity. This not black or white, all or nothing, but the gray tone that each person or company can live with. When you go out to the streets there is a risk of being robbed, murdered, victim of an accident. These risks are, usually, getting higher every day. Have you give up going out of your house because of that? Maybe you have changed some habits (mitigating risk), but you accept that there is risk to keep doing what you need to do. You go to the bank, there is the risk of someone who saw you withdrawing following you later to rob you. You use the Internet banking, there is the risk of someone taking advantage of this. Nothing changes. People only need to be conscious that the problem exists in any situation, be it "real" or "virtual".

That's it.

Monday, May 8, 2006

Chip and PIN Fraud in UK

Thre is a lot of noise in the security feeds about this fraud in UK. Most articles from the press gives the impression that the chip on the cards were victim of the fraud. The problem, however, seems to be on the old magnetic stripe fall-back feature. This is another situation that shows why supporting old technologies for backward compatibility is a bad idea for security. If you have a card that uses chip technology and it can be used also as a magnetic stripe, that has a very lower security level, its general security level will be the same as the one from the stripe. That old thing about the weak chain, again.

Chip cards vulnerable to skimming are just a waste of money and a false sense of security.

Thursday, May 4, 2006

Least Privilege in XP

This week I started to follow what I preach and removed administrator privileges from my user account in my home computer. In fact I had to create a new account, as I was running XP with the Administrator account renamed (shame!!!). I had some problems on copying the old profile to the new account, but everything went fine. Until now nothing have caused my serious issues, and the "runas" feature, as well as Fast User Switching, is making the move as smooth as as it can be. I don't think it has been any more problematic than having to use sudo on Linux. Some NTFS permission tweaking solved most of the problems.

A good resource for solving issues when trying to run with reduced privileges is the Aaron Margosis blog. It has been helping me a lot.

Backup tapes, again

Iron Montain has lost some backup tapes from its clients again. I started to look more closely to these incidentes after seeing a standard contract from this kind of a company, where they declare that they'll only reimburse the media value if a tape is lost. Wow, you loose a tape with all your customer database and receive only a buch of dollars for it?

The companies usually ask you to hire a insurance. I think that changing the contract to allow a standard fee (or a classification label based fee) to be paid in case of tape loss would be better for their clients, but they usually don't accept these terms. Of course it is an additional risk for them, but, after all, it's their business, transfering risk related to media handling to a third party! Why can't they hire a "catch all" insurance to mitigate this risk?