Thursday, April 30, 2009

It's a rant, but it so good

It was written some weeks ago by Stuart King. I love it. Two key points for me:"Many "experts" preach the importance of working through risk models. It's a load of tosh. No matter which way you try to do it, you'll always come out with the answer you first thought of.  You might as well use a crystal ball and read tarot cards""A network scan report is given to a newly CISSP qualified security analyst and he's asked to review it as part of a job interview. He spots the obvious highlighted security holes but doesn't question why a web server has non-standard ports open. Are we becoming too reliant on auto-scan reports? Security analysts need to be inquisitive, well practiced in basic technical skills, able to spot anomolies, and not afraid to question things that don't look right. The scan results never tell the full story!"

Where is security heading to?

I was reviewing my notes about RSA to prepare a series of posts about what I saw there during last week. I've got a sense of disappointment since last Friday that was preventing me from writing anything good about it. I started to think about all this and also about some of the things that I see as key for the evolution of information security, and I end up with some thoughts that should be in a separate post. Another one about the RSA sessions I attended will follow. For now, let's try to solve all security problems :-)  If there is anything that shouldn't be ignored about current security (and IT in general) discussions is "the Cloud". A quick walk around the vendor booths on RSA would show that this is the hot subject of the day. Cloud Computing is the explanation about why things that were hot last year were not so strong this time. NAC and DLP were everywhere in 2008 (Anton noticed they disappeared too), now everything is "cloud based" and virtualization. In fact, when you consider the cloud services model you'll see that the priorities have indeed changed. One of the key concerns from security professionals until a few months ago was Authentication related issues.  Within the cloud, however, it looses some importance. Of course, applications still need to authenticate users, but if you try to authenticate all the IT components that you are interacting with in a cloud model, you are lost. At some point in the near future you'll probably be in a situation where you don't know where you data is being processed and stored (outside your organization - that already happens inside it :-)). So, the hot word today is "Trust", not "Identity". The cloud model is one of the signals that the Jericho Forum is reaching its goals. Now, more than ever, controls need to be on the endpoint and not on the network. And then, when all the security apparatus is on the endpoint, who that endpoint should trust on? A sad conclusion from this new world is that transitive trust is an illusion. Do you trust in the service provider of your service provider? The regulatory maze required to make transitive trust work on the compliance side and the immeasurable complexity required to do that on the technology side have condemned transitive trust in the cloud. We need something different if we really want to have information security commensurate to our risk posture in the cloud. But I'll come back to this later. Most of innovation presented during RSA could be seen as evolutionary innovation. There was no disruptive innovation at all. But I wonder if there is room for disruptive innovation in security at all. The abrupt changes (and disruptive innovations) come from other places, new business models and technologies. It is naive to expect that those new ideas will be born with security "built in" (I'm talking about the concepts, now necessarily the products). Under this perspective, security will always be an afterthought and, as it will be following something instead of defining the way, there won't be no sharp turns. Security will always be essentially evolutionary.Ok, but with those "sharp turns" (Web 2.0, cloud computing) from business and technology, what should we expect from security? Let's use the security cliché of People, Process and Technology to have a better view:

  • People and process

Hey guys, time to get your eyes out of the debugger. I mean, there's a lot of great content being produced on the validation/verification side, people confirming those very small chances of exploiting a specific product or technology. In other words all those guys "making the theoretical possible". Don't get me wrong, this kind of research is critical to our field, but it seems that everybody now wants to do it. We need more people that can look into the problems in a different perspective, bringing concepts and ideas from other fields, like psychology (Schneier is doing it), biology (Dan Geer) and economy (Ross Anderson). All these fields have evolved a lot and we can get a lot of new ideas from them to apply to security. We can use them not only to improve technology but mostly to improve our processes, our risk management and assessment methodologies and the way that we think about risk and security. How can we still be discussing "compliance x security"? We had Malcolm Gladwell as keynote last year on RSA presenting the ideas from "Blink" (his book at that time) and I still haven't seen anything created in security using that valuable information about how people think. Just think for a minute how those instintive decisions mentioned on Blink affect things like security awareness and incident response. You'll be amazed about how much we can use from that in our job.

There is also an old discussion about the profile of the security professional. This is one of the favourite topics of my friend Andre Fucs. Although I think it's a very important discussion, I'm not really interested in it right now. As I'm listing things that I believe we should work to improve and I included "People" as a component, it is important to mention that.

  • Technology

I'm seeing these days a lot of people bashing Bruce Schneier because he said that there's nothing new in Cloud Computing. Even if I partially agree with the criticisms, I think there is some true in that affirmation too. Yes, there is a lot more flexibility and mobility in the cloud model, but there's nothing new in terms of technology. Almost everything we need to do our jobs have been invented already. We just need to look into our huge toolbox and identify what we need to use under these new conditions.

I think the relation between the cloud and virtualization curious. Virtualization is being pointed as a way to implement the necessary platform independence and resource democratization that characterizes the cloud, but I believe we are just wasting resources by going into that direction. A few years ago Java (or, being more generic, "bytecode" stuff) seemed to be the way to go to achieve that platform independence. So, why put layers over layers of OSes if we can do what is needed using different OSes? Remember the "Write once, run everywhere"? Maybe this is not the best time to talk about java, anyway.

We are also pushing a lot of things to the endpoint. See what is being done with AJAX, all those mashups. And how are we trying to secure the endpoint nightmare? Sandboxes! How will sandboxes work with a technology that requires you to integrate all those things from different sources and trust levels exactly AT the endpoint? I really can't see a sucessful sandbox implementation under Web 2.0 reality.

Why am I talking about virtualization and sandboxing? Because both, when we talk about security, are solutions to a problem that we may know how to solve by better approaches. We are doing that because we are using crappy Operating Systems. I don't want to sound like Ranum and say that we need to write everything from scratch again, but let's assume, for instance, that we have decent Operating Systems; why would I bother to create virtual OS instances when I can put all my applications running above a single (more effective and secure) one? Why should we worry about VMotion when we can just move applications? The mainframe guys are running different applications in the same OS instance for years, being able to secure them against each other and effectively managing resources and performance. Let's learn from those guys before all of them are retired sipping Margheritas in Florida.

Ok, even if we solve the issue inside the same organization, there's still the issue of dealing with multiple entities in the cloud model. Again, the problem is Trust. As I said before, transitive trust is an illusion and if we try to rely on it we will see a whole new generation of security issues arise. I honestly don't know how we will solve it, but one of my bets would be in reputation systems.

In fact, the business model of the cloud is not different from lots of things we do in the "real" world. We trust people and companies without knowing all their employees or all other parts involved in ther business processes. We do that based on reputation. A nice thing about it is that we can leverage some of the cloud characterics to implement huge reputation services. Reputation databases can share, correlate and distribute information just like we do with names on DNS, with small and distributed queries. Let's imagine a new world of possibilities for a moment:

Your dynamic IT provisioning systems constantly gets information about processing costs from cloud services providers. It finds the best prices and acceptable SLAs, triggering the process to transparently move your applications to the best providers, keeping you always at the lowest available "IT utility" cost. Eventually, someone may try to include theirselves in the "providers pool" to receive your data into their premises to abuse it. However, your systems will not only check for prices and SLAs. They check the reputation for each provider, allowing the data to be transfered only to those that match you risk decisions. Just think about a database with reputation from several different providers, like Amazon, Google, GoGrid and McColo.v.2 (!). The  database will be constantly fed with information about breaches, infected/compromised systems on each of those providers, vulnerability scanning results, abuse complaints. Everything mixed by mathematical models that will tell you which one you should trust your data to. That's for the cloud. Reputation can even be used to help end users systems to decide the trust level for each application they run (Panda and other AV companies are going in this direction). Future looks promising.

A good call from one of the RSA keynotes was from Cisco CEO John Chambers. He talked about collaboration and integration. I really was expecting to see that at the Expo floor, but there wasn't anything really special. I was expecting to see more about IF-MAP, didn't see anything even from Juniper. Tipping Point CTO Brian Smith presented how their view of how the integration of different products can improve or, in fact, transform the way that we do firewall rules. Getting tags from different systems (reputation based systems?) and building the rules based on tags, that was awesome. One of the few high points of RSA to me. I was planning to do a review of RSA and end up writing something like "my view of the current and future state of information security". It's probably poorly organized, not well fundamented, but I intentionally decided to keep it this way. I want to make it a "food for thought" stuff. As usual, comments are welcome. Have fun.

Wednesday, April 22, 2009

RSA so far

So, trying to do a quick review of the first day:

Nothing really special from the keynotes. Funny to see that some people complained about Scott Charney, from Microsoft, doing a "vendor presentation". Actually I found his presentation better than the others (RSA, Symantec), as he didn't try to hide the fact he was talking about the roadmap of his products. I really don't like those vendor presentations where they show the current challenges exactly in the way that their last product is the perfect fit. Charney at least was honest about what he was showing.

The best session, as usual, was the Cryptographers panel. I was happy to hear their concerns about "Black Swans".  Bruce Schneier also mentioned his studies on Security Psychology. What I'd want to see now is how these things affect our current risk management methodologies.

After that, I watched some technical presentations, one of those about the new edition of "Hacking Exposed". Nothing really new there.

Stephan Chenette, from Websense, talked about script fragmentation attacks. Basically, javascript code being transfered in very small chunks through AJAX to evade detection, mostly by Web filters. The attack relies on code that will pull those small chunks and reassembly the exploit in order to execute it, what he called the "decoder". I think that one of the challenges of this attack is to avoid the detection of the decoder. Even if code from "non-malicious" libraries is used, I think there's still room for detection based on "decoder behaviour". An interesting part was when he mentioned cross-domain transfers to get the exploit, there are endless possibilities to explore in that direction. Decored could find (and grab)  the exploit pieces through Google searches, and those pieces could be inserted in apparently innocent comments on blogs and social networks. A lot of room to explore here.

After that I went to see some of my favorite security bloggers on the "security groundhog day panel", hosted by Mike Rothman. Some good discussions about PCI, cloud computing and compliance. It gave some ideas to write about these subjects, I'll try do it after the conference. Best quote from the conference until now was from Rich Mogull, "you need to know your own business". Dead right.

After that, Jeremiah Grossman presenting the "top 10" attacks. Nice, but I could have just read the paper and used that slot for another presentation.

And day one was over. To be honest, nothing really special until now. Let's see if I can see something nice on the expo booths.


Do no evil?

That's Google motto; however, there is really some room for thinking after watching the presentation from Ira Winkler. The most interesting thing is not only the huge amount of data that Google has, but their posture on inquiries and complaints about them. Still, they are usually seen as a "cool" company. As Ira said, what would be the public reaction if those services provided by Google were being offered by the government?

It's funny to see this trend on "cool companies". Google and Apple are the best examples. I think they posture over security and privacy concerns are deeply rooted on this "coolness" perception. Nobody think they are evil, so why bother trying to convince those few paranoid guys that have doubts?

As a side note, the first person that I heard was using Google Latitude is the most paranoid guy I know. What are those companies doing to be so trusted?


Tuesday, April 21, 2009


OK, a bit late, but here I am. I've just found time to write about RSA now, 40 minutes before the first keynote. I'm really curious about how the conference will look like after all this economic rollercoaster we've been through.

It's also my first time as "press". That makes me feel a little more obligated to blog about it, so I'll try to put my impressions about the sessions I attend. Let the show begin!

(and hey, if you are here and want to meet, just drop me a line on my email (augusto at -blog-url) or Twitter (@apbarros).


Saturday, April 11, 2009

Here it is, that potential vulnerability now is true

Run code on the host from a VM. That was something that everybody who had taken virtualization with a grain of salt when talking about security has been talking about. Today VMWare is releasing a patch for a vulnerability that allows that to take place. Scary.This is a reminder for you to avoid excessive resource sharing by VMs from different trust levels, like DMZ and internal servers. When you put VMs from different isolated network segments running in the same host you are creating a potential bypass for the whole network segmentation infrastructure.Additionally, it's interesting to think about the implications of having your VMs running on a cloud service provider, together with VMs from other organizations. As we don't know about their security posture it's better to assume they are owned, for security planning purposes. That means that if the service provider does not patch his host systems in time your VMs will be owned too. So, what's the policy of your cloud services provider about these issues? Time to ask them.
I've just seen a very nice video showing an exploit for this vulnerability in action. Check it here.

Monday, April 6, 2009

Interesting webinar from IBM

IBM has scheduled a interesting webinar for April 15th. I don't know if it will be entirely "see how nice our product's features are", but as I've been recently blogging about how middleware happens to be a frequent blind spot, that may be something interesting to follow. You can also see some interesting posts from Gunnar Peterson about it.Details about the webinar:Middleware Security Holes You Need to Know About:  They Increase Risk of Breaches, and Will Make You Non-Compliant with PCI  April 15th, at 12 Noon ET; 9 am PT

With T.Rob Wyatt of IBM

The Heartland Payments breach is another case where hackers were able to compromise the "soft center" inside the corporate network. One of the major security holes that remains unplugged in many organizations is middleware, especially middleware used for application-to-application and application-to-DB communication.This webinar will feature the expertise of T-Rob Wyatt who is an IBM security consultant focusing on IBM Websphere MQ, which has been implemented by over 15000 enterprises around the world.  T-Rob will talk about some of the security problems he has found working with merchants, payment processors and other enterprises, most of which have been missed by PCI assessments, often because PCI QSAs are not familiar enough with MQ series and other middleware to evaluate the security of the configuration.This webinar will be very valuable for merchants, banks, PCI assessors and anyone else who is not sure what middleware vulnerabilities they have and how to make the changes to eliminate them.SPEAKER:  T-Rob Wyatt - Senior Managing Consultant, IBMTopics to be discussed include:** What are the major middleware vulnerabilities?** What organizations still have these vulnerabilities?** What is required to eliminate these vulnerabilities?** What should organizations do near term to solve this problem?

Would you mind to explain how your security works?

Sometimes it's funny to see the face of people when you ask that. Sometimes it is about an organization, sometimes about a product. Usually, the answer comes in form of a bunch of acronyms, standards and nice phrases like "risk management process". Fun starts when there's also stuff like "100% secure", "certified against hackers" and "military grade encryption".What is surprising to me (and to others too, as I noticed here) is that sometimes the questions are unexpected. Not only generic questions about the security of a service provider or a product, but also questions about security details of them. I'm not surprised that the answers are crappy, I'm surprised that they are surprised about the questions! Hey guys, are you asking the right questions to the vendors? I remember working for a card processing company and asking some software providers about the security aspects of their products, they didn't know how to answer them. Worse, they would eventually reply "company A, B and C are using it and nobody there asked us about it". What kind of questions they are hearing? Stupid things like "is this software PCI certified?"(!) "is it SOX certified?" (!!!) "is it ISO27001 certified?" (!!!!!!!!). It's not hard to see why there's so much bullshit about security from vendors, there are people out there buying (and enjoying) it.Decently secure services and products will only be available when buyers start to (properly) ask for it. If nobody is asking, why will they bother about it?

Too much good content on the blogosphere

I must say that I should be writing ten times more than I'm actually doing these days. The main reason is that the subjects that I've been interested in writing about are so great that I don't want to just throw a simple post about them. I'm trying to give some room to my thoughts on them before writing down something, but I decided to at least point to what is making me think lately. The three subjects are:

  • The Information Security profession: I talked for some minutes about it with my friend Fucs. He posted something about it in his blog and started a discussion on Linkedin. I have my own thoughts about it and I'll write about them here too.
  • How to improve security as a whole, or how to improve security decision making. I sent a proposal for a RSA presentation on it, that was not accepted. Our current risk assessment and management models don't seem right to me, and I have a perception that most of security decisions, roadmaps and strategies are simply fairy tales. I was glad to see the last rants from Marcus Ranum, where he pointed to a lot of those things. I'm not as pessimist as him, as I think we can find alternative ways to think about security and to have better decisions about it. A lot of the issues he mentioned are old facts about society and corporate culture, they haunted Quality and Safety disciplines far before they started to be a problem on information security. I believe we should look to our past for things like that and try to find how we have managed to find a balanced state for them. Maybe we haven't, and we just need to figure out how to deal with that too.
  • The last one, again something from my conversations with Fucs too. This time, some new ideas about botnets Command and Control systems, improving things we presented in 2007 at Black Hat Europe. Conficker has come implementing some of those concepts, and we are seeing how well (or how bad) they worked and what could be done to improve it. I must say we have some great ideas, but I would really like to find something more on the detection and defence side before going into a presentation again about it. Let's see where our chats head us to in the near future.
Basically, that's what's in my head now. Feel free to drop comments on them if you want :-)


Thursday, April 2, 2009

MQ, one of the blind spots

I've recently wrote about security blind spots, those things inside organizations that bring high risks but are usually not seen during risk and vulnerability assessment activities. Gunnar Peterson mentioned on his blog one of the most common blind spots for big organizations, MQ Series. This is related to the mainframe problem that I wrote about on my article about blind spots. As Peterson says, "MQ Series was designed for a benign environment not a hostile one. Because the mainframe plays a central role in many companies' culture they continued to connect the way they always had, and the inspectors (auditors, pen testers) didn't really notice because they focus mainly on the front door". That's really interesting. Security assessment usually pass far away from these very important points, because when scope definitions are made they are not considered "high risk" areas. The problem is that nobody has ever gone through a thorough review on those areas to identify the risk, people just decided that "the mainframe is secure", as there's nothing in the news or even mainframe exploits being published for Metasploit. That's not the case. Those vulnerabilities are from that class that you don't an exploit, just some inside information. Today, with all those massive lay-offs, do you still think that this kind of information won't be available to potential attackers?