Wednesday, December 31, 2008

Some good predictions for 2009

Sorry if you were expecting something big. Usually the best next year's predictions are the dullest ones. Until now I found these from Andreas Antonopoulos the best. But what do I mean by best?Best as those with the biggest chances of being right. According to the Black Swan theory (funny, I remember Antonopoulos and Dan Kaminsky discussing it during the bloggers meet-up back in April at RSA) I believe that we cannot predict huge things, as they are usually not expected to the point of being unpredictable. Also, there are not many "big happenings" on the security history, so there is no point in generating predictions full of big happenings. Can you remember a year full of information security huge stories?Antonopoulos predictions point to natural evolutions of current situations and threats. He may miss some big bang stuff that eventually happens, but I wonder how many will get that one right, if it really happens.A very good 2009 for all of you. Thanks for reading all this crap during 2008. I hope to be a little more present and provide a little more content next year (new year resolution #n?). After all, life will probably be a little more stable. Or not. :-)

Friday, December 19, 2008

War and Information Security

Andrew Hay has posted a very nice piece on how war strategies evolved and how that compares to information security. He finishes it with this very nice line:"I believe that all security professionals should be students of military history and tactics. Seeing what failed for great generals will show us how to adapt to, and defend against, network and system attack situations in the future."I definitely agree with him.

Phishing now installing malware...NEW?

I was LOL when reading about this "new stuff" from Network World today. They are saying that last August phishers started to change from trying to get information from victims to tricking them into installing malicious software? LAST AUGUST? Hey, that is happening in Brazil for years by now.In Brazil the banks were suffering with phishing back in 2002, 2003. As the losses there were huge they started a big campaign to educate their customers about the threat. Soon, people would be avoiding any messages that appeared to come from their banks. The criminals quickly changed their methods.As people had been taught to avoid clicking on links on "messages coming from banks", Brazilian phishers quickly started to send messages that would use any possible reason to trick people into clicking into their links. Those links were redirecting people to download executables, the famous "bank trojans" that were mentioned on the last Microsoft Intelligence Report. Messages could appear to be those "virtual postcards", fake former university/college/high school colleagues sending their "see how I am know", pictures from the last plane crash, among others. Everything was a reason to a new burst of fake messages tricking people into clicking into links.With that approach we could also see the trojan/backdoor evolution. They started as simple keyloggers sending passwords to an e-mail account through SMTP. When the banks started using screen keyboards the malware also started to capture screenshots. When banks started using OTP cards, trojans started to open windows when the victim was visiting the bank's website to request "card activation", obviously requesting all the 40 numbers in that small card (!). Do I really need to say that people believed and were doing that? :-)Now several banks are using OTP tokens. The "bleeding edge" trojans are now trying to change valid transactions from the user, by changing the bill that is being paid or even the destination account of a money wire transfer. That only shows that whenever it is economically feasible, malware will always evolve to match security measures.

Why people stick to IE...or why should they change?

It's interesting to see some reactions afters the IE 0-day thing that happened last week.  There is one that always appear on these situations, the old question "why people don't change from IE?".First, I believe this question should be answered in two parts, home users and corporate, with the final answer being the result of both together. Andrew Hay answered that properly for the corporate side. For the home user I believe that biggest challenge is to make people aware of other browser existence and that changing from IE to another won't be that hard. Mostly an awareness problem. However, if there is a situation where the recently Firefox-converted-user tries to access a website and it doesn't work well, he will switch back to IE and assume that "switching browsers is no good cause the other browsers don't work".OK, the problem of "why people don't change" is not that hard to understand. However, my question is a little different, why should we change? Or, should we really change?Security issues are the results from threat presence and vulnerabilities. Internet Explorer is a huge target today, making the "threat presence"  something quite big. But that happens mostly because of IE's market share. If you are trying to exploit browser vulnerabilities you will probably aim on the browser with more users, making it easier to find a vulnerable target. Will that still be true about IE if others browsers are able to catch up on the market share? I'm certain that exploits, malware and drive-by attacks will start to be very common to other browsers if they are able to achieve a higher market share.Finally, on the vulnerability side, there are some indications that IE is not that bad, or that it is at least as bad as the others. It's not fair to judge the security of a software by looking into a single vulnerability, as it seems to be the case for IE now.Having said that, I must say that I use Firefox for security reasons. I do that mostly because most of the THREATS are IE related, not necessarily because I think IE is more vulnerable. If Firefox market share grows to a point where malware production targeting it starts to be higher than for IE, I'll certainly switch browser again (Chrome?).OK, some might say that I just presented a different reason why people should move from IE to Firefox, but that still needs to be done. Yes, I would suggest that for home users, but if the move starts to happen in a massive way and also including corporate users, the results from it will probably be innocuous. Funny isn't it? To keep Firefox more secure, it's better that people don't change.That's the perfect example where a Nash equilibrium solution would fit. That's also aligned with Dan Geer ideas about software monocultures. How to achieve that perfect solution? If I knew it I would be a millionaire by now :-)

Tuesday, December 16, 2008

2009 predictions

Everybody is doing that, so I'll try some too. But I won't try any bold move here, like Paul Asadoorian did :-)I'll mention four main things:

  1. Apple threats: the number of people using Macs is growing very fast. It is starting to become something attractive for botnet herders, specially because almost all Mac users don't have anti-malware software installed nor have the habit of worrying about it, so it's easy to mantain the bots installed. If it was in the past I would think about a big worm coming, but cybercrime is reality now and those guys know when an opportunity like this arises.

  2. Blended/Hybrid Threats: We are seeing this already, like this malware that exploits SQL Injection and an IE vulnerability. I believe we will see a lot of threats using multiple attack vectors, maybe even from different platforms and technologies. Vulnerabilities than can be used to redirect traffic from multiple users (like Dan Kaminsky's DNS bug) will be used to force people to access infected content, that will trigger other infection mechanisms. Worms will be able to disseminate to a higher number of hosts without generating suspect spikes on charts, as the malware code will randomly choose between several infection methods to spread itself. Expect some huge botnets being found as a result.

  3. At least one "cloud computing" security incident: Ok, not that hard to say that, but I'll try to be a little more specific in the details :-), there will be a discussion about what was compromised (infrastructure? application? vendor? client?) and people will start discussing how to conduct forensics on those new conditions.

  4. Virtualization nightmare: A vulnerability will be found in a virtualization platform or in a virtualization-aware product, enabling attacks from one guest OS to another (or even reaching a Guest OS and triggering the exploit on another).  It would be extremely fun to watch those "the cat is on the roof" discussions. A new wave of miraculous products will be released to solve the issue from that specific kind of attack. Your VM infrastructure will look like a Christmas Tree and the operation cost of a virtualized environment will not be what was expected anymore.
Let the game begin! Let's see how I'll do in 12 months :-)

Thursday, December 11, 2008

Keep alive

As all the bloggers sometimes do, I'll also post a simple "keep alive" here just to show that this is not a abandoned blog :-)It is holiday season, with guests at home, more things to do at work and too few interesting things to comment out there. So, please don't unsubscribe, I'm keeping some notes about what to post and I hope to start 2009 with some good content here. Thanks for your patience :-)

Tuesday, December 2, 2008

Can good programmers be part of a SDLC?

I've just read this small article from Paul Graham, called "The other half of 'Artists Ship'". The key point of the text is this:"For good programmers, one of the best things about working for a startup is that there are few checks on releases. In true startups, there are no external checks at all. If you have an idea for a new feature in the morning, you can write it and push it to the production servers before lunch. And when you can do that, you have more ideas.At big companies, software has to go through various approvals before it can be launched. And the cost of doing this can be enormous—in fact, discontinuous. I was talking recently to a group of three programmers whose startup had been acquired a few years before by a big company. When they'd been independent, they could release changes instantly. Now, they said, the absolute fastest they could get code released on the production servers was two weeks.This didn't merely make them less productive. It made them hate working for the acquirer."Assuming that writing secure code and the complete Secure Development Life Cycle can be described as "checks" and "controls", it would be natural to assume that good programmers don't want to work for companies with a SDLC in place. That is certainly an important thing to consider when considering a more secure approach to software development. We know that a SDLC works for generating more secure code. But can we keep the good programmers while doing that? Can this issue be a problem big enough to make a company choose to not implement a SDLC?

AV on Mac

Of course you will need that, as even Apple is sayingnow. I can say that the need for anti-malware is one of the "growing pains" for end user Operating Systems. Soon they will start to suffer from backward compatibility issues, "too dumb" users, bad written applications and other problems that WIndows had to deal with during the last years. At least there are still the hardware vendor "monopoly" for Mac OS, what makes things a little easier for the OS. The other things will likely be exactly the same.

Monday, December 1, 2008

VP has taken the red pill

My friend VP has just discovered that everything is broken.He is talking about his last work on pentesting web applications. I had the same feelings about basic network infrastructure, like privileged credentials, file shares, the xyz-illion unidentified devices plugged to the network.The interesting part of this job is not realizing that everything is broken. He probably went through an amnesia crysis or something like that, cause we noticed that ages ago. The real issue is not that, nor trying to fix everything, but how to achieve business survivability/assurance without having to fix everything. That's the kind of challenge that is really interesting!