You read right... in keeping with Errata Security's mission to be cutting edge with the latest in internet technology, we now have a Twitter!
To follow along with all the fun, sign up for your own Twitter, and follow us at http://twitter.com/Errata.
Post below if you already have a Twitter and you'd like to be friends!
Monday, June 30, 2008
More fodder for the arms race...
http://tech.slashdot.org/article.pl?sid=08/06/30/1155205&from=rss
A long, long time ago (5 years I think) I did a talk on why anomaly based IDSes do not work. If given the ability to spend a few days analyzing traffic you can evade them easily. I am guessing the same holds true for "throttling traffic even though it’s encrypted". If you look at to two points of data that can be reliably read, packet size and frequency, those can be varied greatly by an attacker without introducing much latency or overhead.
Like most things in security produced in labs, this technique will only be efficient as long as no one knows it has been implemented.
A long, long time ago (5 years I think) I did a talk on why anomaly based IDSes do not work. If given the ability to spend a few days analyzing traffic you can evade them easily. I am guessing the same holds true for "throttling traffic even though it’s encrypted". If you look at to two points of data that can be reliably read, packet size and frequency, those can be varied greatly by an attacker without introducing much latency or overhead.
Like most things in security produced in labs, this technique will only be efficient as long as no one knows it has been implemented.
Random musings...
Have you noticed that Microsoft does not seem to want you to look at application crash data in Windows Vista? This morning I was doing…something…that…involved Flash. A 0xc0000005 error popped up and the application automatically restarted. No big deal I though, when it asks if I want to report the fault I will say no and grab the dump file. It didn’t ask if I wanted to report the error, it just did. To add insult to injury it deleted the dump file. It looks like its time to do Vista research offline from now on.
Blizzard's Two-Factor Authentication
Blizzard's announcement of two-factor authentication for World of Warcraft is more significant than people realize.
Passwords are obsolete. They are broken. We all recognize this, yet we aren't quite ready to give up on passwords because we haven't an easy alternative.
World of Warcraft (WoW) is a good test case. It is the biggest online game and has the largest "black market" where people buy in-game money ("gold") for real-world dollars. User accounts, protected only by passwords, have real-world value. Hackers first strip the accounts for gold, then use the accounts as mules to sell gold and spam others with messages advertising their gold. Blizzard eventually bans the account, by which point the hackers have moved onto the next hacked account.
This is a huge cost. It costs Blizzard a lot of money (I would guess in the range of $100) to help a user recover from a hacked account. That assumes the user still wants to play and doesn't cancel their $15-a-month subscription, which costs Blizzard even more money.
Today's "viruses" usually contain keyloggers that specifically look for people logging into games like WoW. Phishing attacks likewise target gamers. However, there is an even easier way to getting people's account names. People choose the same username/password for multiple sites. Therefore, if you want to steal somebody's account, you simply set up a site that requires a username/password and encourage players to log in. You then test all the accounts on your own site in order to see if they are also legitimate WoW accounts. Likewise, when hackers break into online sites, they can crack the password file and test how many are legitimate WoW accounts.
There are also other tricks. I just googled "hack warcraft account" and came up with a bunch of YouTube videos. You should watch them if you want to plumb the depths of human stupidity. They don't teach you to hack somebody's account. Instead, they show you a lot of technical mumbo jumbo, and bury within it all the tiny detail that you e-mail your own username/password to an account like "blizzard-character-recovery@hotmail.com". This account is not owned by Blizzard, but by the hacker trying to social engineer you into revealing your own WoW password.
If users are too stupid to make choices about passwords, the obvious solution is to take that responsibility out of their hands. That's what Blizzard has done. They are selling the user a typical two-factor-authentication device. Without this device, nobody can log into the account.
Some experts claim that two-factor authentication won't work. They are wrong, of course. There is not such thing as perfect security. Any solution has flaws, so for any solution, you'll have experts lining up to explain why it's not perfect. The only real question is whether something will improve security, and how much it costs, and whether the benefits outweigh the costs.
Blizzard is charging $6 for the tokens. This sounds like they are providing these "at cost". There are other costs to Blizzard, too. They need to maintain software on the backend that works with the keys. They also need to deal with support costs, as users break the keys and lose them. The users themselves will also experience costs. They have to learn how to use they keys, and it makes logging onto their account more annoying. That last item is an important cost - WoW makes money when their games are fun, annoyances caused by security make games less fun.
The benefits would be big. Users who use the same username/password on multiple accounts would no longer be danger. Phishing attacks would similarly be broken. Keyloggers in malware would no longer be a threat. Hackers could update their malware from simple keyloggers to hacks that would allow them to hijack WoW sessions, but that would be very costly. Keyloggers hack a wide range of applications, not just WoW - custom software for each application may not be worth it. Moreover, if hackers do come up with techniques to hijack sessions, Blizzard could quickly counter them with their famous "Warden" program.
Blizzard's experiment is an interest for all of us. Bank's are trying out jury-rigged authentication schemes to avoid the difficulties of hardware devices like Blizzard's. In our experience as pentesters and system evaluators, these schemes suck. It is our belief that no system can be successful that relies upon people being smart about their authentication credentials. If Blizzard can show success with this system in the gaming community, it'll be a huge boost for the approach in other areas as well.
Passwords are obsolete. They are broken. We all recognize this, yet we aren't quite ready to give up on passwords because we haven't an easy alternative.
World of Warcraft (WoW) is a good test case. It is the biggest online game and has the largest "black market" where people buy in-game money ("gold") for real-world dollars. User accounts, protected only by passwords, have real-world value. Hackers first strip the accounts for gold, then use the accounts as mules to sell gold and spam others with messages advertising their gold. Blizzard eventually bans the account, by which point the hackers have moved onto the next hacked account.
This is a huge cost. It costs Blizzard a lot of money (I would guess in the range of $100) to help a user recover from a hacked account. That assumes the user still wants to play and doesn't cancel their $15-a-month subscription, which costs Blizzard even more money.
Today's "viruses" usually contain keyloggers that specifically look for people logging into games like WoW. Phishing attacks likewise target gamers. However, there is an even easier way to getting people's account names. People choose the same username/password for multiple sites. Therefore, if you want to steal somebody's account, you simply set up a site that requires a username/password and encourage players to log in. You then test all the accounts on your own site in order to see if they are also legitimate WoW accounts. Likewise, when hackers break into online sites, they can crack the password file and test how many are legitimate WoW accounts.
There are also other tricks. I just googled "hack warcraft account" and came up with a bunch of YouTube videos. You should watch them if you want to plumb the depths of human stupidity. They don't teach you to hack somebody's account. Instead, they show you a lot of technical mumbo jumbo, and bury within it all the tiny detail that you e-mail your own username/password to an account like "blizzard-character-recovery@hotmail.com". This account is not owned by Blizzard, but by the hacker trying to social engineer you into revealing your own WoW password.
If users are too stupid to make choices about passwords, the obvious solution is to take that responsibility out of their hands. That's what Blizzard has done. They are selling the user a typical two-factor-authentication device. Without this device, nobody can log into the account.
Some experts claim that two-factor authentication won't work. They are wrong, of course. There is not such thing as perfect security. Any solution has flaws, so for any solution, you'll have experts lining up to explain why it's not perfect. The only real question is whether something will improve security, and how much it costs, and whether the benefits outweigh the costs.
Blizzard is charging $6 for the tokens. This sounds like they are providing these "at cost". There are other costs to Blizzard, too. They need to maintain software on the backend that works with the keys. They also need to deal with support costs, as users break the keys and lose them. The users themselves will also experience costs. They have to learn how to use they keys, and it makes logging onto their account more annoying. That last item is an important cost - WoW makes money when their games are fun, annoyances caused by security make games less fun.
The benefits would be big. Users who use the same username/password on multiple accounts would no longer be danger. Phishing attacks would similarly be broken. Keyloggers in malware would no longer be a threat. Hackers could update their malware from simple keyloggers to hacks that would allow them to hijack WoW sessions, but that would be very costly. Keyloggers hack a wide range of applications, not just WoW - custom software for each application may not be worth it. Moreover, if hackers do come up with techniques to hijack sessions, Blizzard could quickly counter them with their famous "Warden" program.
Blizzard's experiment is an interest for all of us. Bank's are trying out jury-rigged authentication schemes to avoid the difficulties of hardware devices like Blizzard's. In our experience as pentesters and system evaluators, these schemes suck. It is our belief that no system can be successful that relies upon people being smart about their authentication credentials. If Blizzard can show success with this system in the gaming community, it'll be a huge boost for the approach in other areas as well.
Sunday, June 29, 2008
The continuing saga of McAfee malware
Almost a week after my humours post about McAfee, I looked at my task list today and its still running. This really upsets me. I tried to uninstall it, it stays. I tweak my registry, it stays. I spent an hour today trying to figure out how to get rid of it. It came down to simply deleting a link in the \\Windows\Startup folder. I know spyware thats easier to get rid of than this.
Blizzard
http://eu.blizzard.com/en/press/080626-ba.html
Blizzard is going to sell a One Time Password device. I suppose I should comment about security adoption or something like that but every time I see WoW now I just can't stop thinking about that South Park episode.
Isn't it kind of funny when an online game has better security than most banks?
Blizzard is going to sell a One Time Password device. I suppose I should comment about security adoption or something like that but every time I see WoW now I just can't stop thinking about that South Park episode.
Isn't it kind of funny when an online game has better security than most banks?
Friday, June 27, 2008
AxBan 1.5
Errata Security has published the long-awaited AxBan 1.5 today.
This version has the auto-update feature that downloads the latest list of bad ActiveX Controls from an XML file on launch. It also has new usability features such as cut/paste and overview information.
Download the latest version to get these new features here.
Please send your feature requests or bug reports for this version to me at marisa@erratasec.com.
Thanks!
This version has the auto-update feature that downloads the latest list of bad ActiveX Controls from an XML file on launch. It also has new usability features such as cut/paste and overview information.
Download the latest version to get these new features here.
Please send your feature requests or bug reports for this version to me at marisa@erratasec.com.
Thanks!
Thursday, June 26, 2008
Worm source code...
http://www.offensivecomputing.net/?q=node/773
Every wanted to see what a mobile virus looks like? Here is the source code to the infamous Caribe worm which infects Symbia phones.
Every wanted to see what a mobile virus looks like? Here is the source code to the infamous Caribe worm which infects Symbia phones.
Aren't PHDs put in cages...err..classrooms...
http://www.securityfocus.com/brief/764?ref=rss
The failure of this program is all but assured with it being handled by "academic researchers".
The failure of this program is all but assured with it being handled by "academic researchers".
http://www.theregister.co.uk/2008/06/26/fired_it_manager_rampage/
I keep seeing stories about people "hacking" into their former employers. You have to wonder if she used a SQL injection exploit to access the database or maybe a buffer overflow. I am guessing neither but instead used her only credentials that were not changed after she was fired. In my opinion that's no more hacking than claiming a building was broken into after an ex-employee used keys they didn't turn in to unlock a door. Sure they were trespassing but they didn't "break in".
I keep seeing stories about people "hacking" into their former employers. You have to wonder if she used a SQL injection exploit to access the database or maybe a buffer overflow. I am guessing neither but instead used her only credentials that were not changed after she was fired. In my opinion that's no more hacking than claiming a building was broken into after an ex-employee used keys they didn't turn in to unlock a door. Sure they were trespassing but they didn't "break in".
Tenables new patch diff.
http://blog.tenablesecurity.com/2008/06/patchdiff2---hi.html
Tenable released a new patchdiff tool for IDA 5.2. There is also a nifty little video showing changed and unmatched functions between two IDBs.
Tenable released a new patchdiff tool for IDA 5.2. There is also a nifty little video showing changed and unmatched functions between two IDBs.
Yes YOU can own a gun
(DISCLAIMER: By YOU we mean US residents who have not been convicted of a felony.)
http://www.scotusblog.com/wp/court-a-constitutional-right-to-a-gun/
From the article:
"Answering a 127-year old constitutional question, the Supreme Court ruled on Thursday that the Second Amendment protects an individual right to have a gun"
http://www.scotusblog.com/wp/court-a-constitutional-right-to-a-gun/
From the article:
"Answering a 127-year old constitutional question, the Supreme Court ruled on Thursday that the Second Amendment protects an individual right to have a gun"
Wednesday, June 25, 2008
You cannot believe what you see...
While reading Gizmodo this morning I came across an article about a project in Germany that allows modifications of photos in real time. The example in the video is a sign that has text overlayed when a picture is taken but is not visible to the human eye.
The immediate security/prankster portion of my personality thinks this technology would be widely useful at red carpet style events. Could you imagine if every picture taken at the Olympics had “Free Tibet” superimposed on the athletes? This could lead to a completely new kind of hacktivism.
On the flipslide how long until a company markets a product that will superimpose “This object’s likeness is protected by copyright” on landmarks.
Here is the video:
The immediate security/prankster portion of my personality thinks this technology would be widely useful at red carpet style events. Could you imagine if every picture taken at the Olympics had “Free Tibet” superimposed on the athletes? This could lead to a completely new kind of hacktivism.
On the flipslide how long until a company markets a product that will superimpose “This object’s likeness is protected by copyright” on landmarks.
Here is the video:
Telecommuting spies?
http://www.af.mil/news/story.asp?id=123104128
Maybe I am wrong but it sounds like this is a press release that announces that AFCYBER is all for telecommuting.
Recently overheard at Panera: "Hey could you get me an oatmeal cookie, I have to watch this cruise missile strike its target".
Maybe I am wrong but it sounds like this is a press release that announces that AFCYBER is all for telecommuting.
Recently overheard at Panera: "Hey could you get me an oatmeal cookie, I have to watch this cruise missile strike its target".
70's Redux, finding pools
http://blog.wired.com/underwire/2008/06/brit-teens-pool.html
Anybody remember Dogtown? Stacy Peralta, Tony Alva, Jay Adams? They use to do this with a small aircraft to find pools to skate in. Here is an interview of Alva talking about it.
This is also a chance for people in the UK to do so out of the box thinking when it comes to security. If you can find your pool on Google Maps, do something interesting like fill it with Jello before heading off on your vacation. Nothing says party like a trespasser stuck waist deep in Jello.
Anybody remember Dogtown? Stacy Peralta, Tony Alva, Jay Adams? They use to do this with a small aircraft to find pools to skate in. Here is an interview of Alva talking about it.
This is also a chance for people in the UK to do so out of the box thinking when it comes to security. If you can find your pool on Google Maps, do something interesting like fill it with Jello before heading off on your vacation. Nothing says party like a trespasser stuck waist deep in Jello.
Tuesday, June 24, 2008
Funny article
http://www.iht.com/articles/2008/06/24/america/engineer.php
The best part of the article is:
I once tested an IPS that would stop passing traffic every time the rules were updated. I later talked to a customer that had it deployed in a mission critical environment. A worm was spreading and they had a dilemma between updating the rules from the vendor and killing the traffic for 15 minutes, or not updating and taking the risk of infection.
The best part of the article is:
The task force identified several programs that, hobbled by poor
engineering management, have run up billions of dollars in cost overruns while
falling far behind schedule.
Among them:
A military satellite system designed to detect foreign missile launches that Kaminski said was inexplicably designed with two sensors that cannot operate simultaneously on the same spacecraft without extensive, costly shielding to prevent electromagnetic interference generated by one from disabling the other.
I once tested an IPS that would stop passing traffic every time the rules were updated. I later talked to a customer that had it deployed in a mission critical environment. A worm was spreading and they had a dilemma between updating the rules from the vendor and killing the traffic for 15 minutes, or not updating and taking the risk of infection.
Can antivirus be a virus?
My beloved Blackberry Curve met a bad end so I needed to pick a new phone. I decided to go with the Motorola Q9 after hearing good things about it. In rummaging around my new phone I found a link to download MacAfee VirusScan. After kicking the tires, I decided it added nothing useful so I removed it. It did not go away. I then tried killing it in the process list but it came back. It’s like a zombie from a George Romero movie, it just won’t stop. It no longer shows up in the list of installed programs and it is eating up my battery needlessly.
Its running yet its not installed...hrm...in fact you could I say I uninstalled it yet it stuck around...hrm...Whats the name for software like that?
MacAfee VirusScan Mobile I dub you "malware."
Its running yet its not installed...hrm...in fact you could I say I uninstalled it yet it stuck around...hrm...Whats the name for software like that?
MacAfee VirusScan Mobile I dub you "malware."
Windows Mobile Registry Viewer
Because of a project I am working on now I wrote a small lightweight Windows Mobile registry viewer. Its really simple, has a few bugs, but serves my purposes just fine. Here are a few screenshots and it can be downloaded here.
Monday, June 23, 2008
Apple malware
Macs only seem safer that other OSes. In reality they are just as risky. Because of this, I pay attention to any report of Mac based malware and exploits. Last week two Mac security vendors (I didn’t know the market was large enough for one) announced that they had discovered malware in the wild that took advantage of a recently discovered flaw that allows the an Applescript to run as root because of the permissions of the Apple Desktop Agent. In the Windows world it is common to talk about a vulnerability going from PoC to malware in a few hours or days, but this is the first time I can think of it happening on a Mac. The Mac flaw was made public on Slashdot on June 18th and the Macscan advisory is on June 19th. You can come to two different conclusions and neither is good for Mac users.
1. You could conclude that malware authors are starting to pay more attention to Macs and quickly wrote malware to take advantage of the flaw. This means that as more vulnerabilities appear so will more malware. This is not good for a population of people that have been repeatedly told they do not have security problems.
2. You could conclude that this vulnerability is publicly known because the new Trojan uses it to install itself. This would mean that malware authors are finding and using 0day to spend their wares. This also is not good for a population of people that have been repeatedly told they do not have security problems.
Either way the Apple security problem is growing.
1. You could conclude that malware authors are starting to pay more attention to Macs and quickly wrote malware to take advantage of the flaw. This means that as more vulnerabilities appear so will more malware. This is not good for a population of people that have been repeatedly told they do not have security problems.
2. You could conclude that this vulnerability is publicly known because the new Trojan uses it to install itself. This would mean that malware authors are finding and using 0day to spend their wares. This also is not good for a population of people that have been repeatedly told they do not have security problems.
Either way the Apple security problem is growing.
Why isn't Satan invited to Oreilly conferences?
Since we are talking about Ruby vulnerabilities, Blackhat, and other such things, I thought I would take this as an opportunity to respond to something I have read lately over on Oreilly Radar. In a post entitled “Satan on my friends list” a blogger named Jim Stogdill draws a comparison between Oreilly conferences and Blackhat with a quip that he “can't recall Satan making a single appearance in an O'Reilly conference program.”
Now let me start by saying I am a huge Oreilly fan. Almost every time I need to learn something new I grab the Oreilly book on the subject and in recent months I have found that Safari is indispensable as I have been navigating the world of C#, ASP.NET, and Windows Form Development. I even have Oreilly Radar as a subscription on my Kindle, which is how I read this post the first time.
My first reaction is to blast him with something like “The real difference between Oreilly Conferences and Blackhat is that nobody I know who speaks at Blackhat would try to write a post like that." I waited though. I let the topic roll around in my mind. I even read the Blackhat response to it.
I love Blackhat, I have spoken at many of them. I love the people that run the show, and I love the attendees. I have made lifelong friends while attending the shows but most importantly, I have learned as much from audience members as I much as I have taught.
I know how hard it is for speakers to write good presentations. With so many tracks, so little time, most conference attendees have a few minutes to pick the next talk to attend and will often go with the best sounding title. If you look at a few of my presentation titles:
Device Drivers – Don’t Build a House on a Shaky Foundation
Trust No-one, Not Even you self OR the weak link might be your build tools
Data Seepage: How to Give Attackers a Roadmap to Your Network
NX: How Well Does It Say NO to Attacker’s eXecution Attempts?
SCADA Security and Terrorism: We're Not Crying Wolf!
They all seem sensationalist but you have 30 seconds to grab someone’s attention and convince them you are worthy of 50 minutes of their time. Could you imagine college is students could choose any class they like and professors were judged on not just course content but how they are rated by students and how many people attend? Professors would have class titles like “Intro to Physics: The study on bodies in motion” or “Calculus: a primer for understanding and making money stock market” or “18th Century Romantic Literature: how to read porn without looking like a pervert”.
The part that irks me the most about Jim’s blog entry is the last paragraph where he summarizes the Blackhat spectacle with the standard fare of tattooed people, brief thrills, low moral values, and every security researcher just waiting for a big payday to switch sides and become evil.
I wonder if this is how he really sees Blackhat and other such conferences. While Defcon does attack a wide range of Geeks, it seems that Blackhat is far more kosher for the business crowd. You have the vendors with their snazzy little booths, you have every facet of Enterprise security represented from the make it happen engineers to the long pontificating strategy based CTOs. The keynotes are always interesting and the lineup is mostly relevant to people working in the trenches today. I remember the first Blackhat I ever attended, I saw Dan Kaminsky speak about his Paketto Keiretsu tools that included scanrand, a high speed portscanner. I was working at a large university at the time and immediately implanted this tool as a way to scan 3 and a half class B networks for open ports we are interested in. Using this we could easily track down malware that listened on a port as soon as possible. It would take less than 10 minutes to do as opposed to several hours with nmap (note: I am not knocking nmap, it’s a great tool).
In my last post, I mentioned that although the current Ruby vulnerabilities are new, I first saw material covering flaws in interpreted languages, Ruby to be specific, at Blackhat Tokyo in 2005. Although even my, and the original man in blue Mr. Johnny Cache, Apple Macbook hack presentation was controversial and hashed rehashed into the ground the result was that a number of flaws in wireless drivers are closed. Some of these were as simple as setting the SSID of a wifi beacon packet to greater than 100 bytes.
As far as every “white hat” just waiting for a payday to make a switch, I find that personally insulting, I think it is insulting to the largest group of creative and intelligent people I have ever been a part of (the Blackhat speaker alumni). The people who speak at Blackhat go from poor college kids (Johnny was in college when we presented in 2006) to former presidential advisors like Richard A. Clarke. This group of people is dedicated to combating security problems and providing the good guys ammo in the continuing arms race that is security. I, like many other security professionals, have received unsolicited offers for to purchase 0day, to write worms, or even requests to help crack a girlfriends gmail account. None of these offers are entertained let alone offer any temptation.
Blackhat has a long and distinguished history of getting information into the hands of people that can make use of it and actually doing something about it. So in response to Jim’ post I offer this thought: maybe it is time for Satan make an appearance at an Oreilly conference.
Now let me start by saying I am a huge Oreilly fan. Almost every time I need to learn something new I grab the Oreilly book on the subject and in recent months I have found that Safari is indispensable as I have been navigating the world of C#, ASP.NET, and Windows Form Development. I even have Oreilly Radar as a subscription on my Kindle, which is how I read this post the first time.
My first reaction is to blast him with something like “The real difference between Oreilly Conferences and Blackhat is that nobody I know who speaks at Blackhat would try to write a post like that." I waited though. I let the topic roll around in my mind. I even read the Blackhat response to it.
I love Blackhat, I have spoken at many of them. I love the people that run the show, and I love the attendees. I have made lifelong friends while attending the shows but most importantly, I have learned as much from audience members as I much as I have taught.
I know how hard it is for speakers to write good presentations. With so many tracks, so little time, most conference attendees have a few minutes to pick the next talk to attend and will often go with the best sounding title. If you look at a few of my presentation titles:
Device Drivers – Don’t Build a House on a Shaky Foundation
Trust No-one, Not Even you self OR the weak link might be your build tools
Data Seepage: How to Give Attackers a Roadmap to Your Network
NX: How Well Does It Say NO to Attacker’s eXecution Attempts?
SCADA Security and Terrorism: We're Not Crying Wolf!
They all seem sensationalist but you have 30 seconds to grab someone’s attention and convince them you are worthy of 50 minutes of their time. Could you imagine college is students could choose any class they like and professors were judged on not just course content but how they are rated by students and how many people attend? Professors would have class titles like “Intro to Physics: The study on bodies in motion” or “Calculus: a primer for understanding and making money stock market” or “18th Century Romantic Literature: how to read porn without looking like a pervert”.
The part that irks me the most about Jim’s blog entry is the last paragraph where he summarizes the Blackhat spectacle with the standard fare of tattooed people, brief thrills, low moral values, and every security researcher just waiting for a big payday to switch sides and become evil.
I wonder if this is how he really sees Blackhat and other such conferences. While Defcon does attack a wide range of Geeks, it seems that Blackhat is far more kosher for the business crowd. You have the vendors with their snazzy little booths, you have every facet of Enterprise security represented from the make it happen engineers to the long pontificating strategy based CTOs. The keynotes are always interesting and the lineup is mostly relevant to people working in the trenches today. I remember the first Blackhat I ever attended, I saw Dan Kaminsky speak about his Paketto Keiretsu tools that included scanrand, a high speed portscanner. I was working at a large university at the time and immediately implanted this tool as a way to scan 3 and a half class B networks for open ports we are interested in. Using this we could easily track down malware that listened on a port as soon as possible. It would take less than 10 minutes to do as opposed to several hours with nmap (note: I am not knocking nmap, it’s a great tool).
In my last post, I mentioned that although the current Ruby vulnerabilities are new, I first saw material covering flaws in interpreted languages, Ruby to be specific, at Blackhat Tokyo in 2005. Although even my, and the original man in blue Mr. Johnny Cache, Apple Macbook hack presentation was controversial and hashed rehashed into the ground the result was that a number of flaws in wireless drivers are closed. Some of these were as simple as setting the SSID of a wifi beacon packet to greater than 100 bytes.
As far as every “white hat” just waiting for a payday to make a switch, I find that personally insulting, I think it is insulting to the largest group of creative and intelligent people I have ever been a part of (the Blackhat speaker alumni). The people who speak at Blackhat go from poor college kids (Johnny was in college when we presented in 2006) to former presidential advisors like Richard A. Clarke. This group of people is dedicated to combating security problems and providing the good guys ammo in the continuing arms race that is security. I, like many other security professionals, have received unsolicited offers for to purchase 0day, to write worms, or even requests to help crack a girlfriends gmail account. None of these offers are entertained let alone offer any temptation.
Blackhat has a long and distinguished history of getting information into the hands of people that can make use of it and actually doing something about it. So in response to Jim’ post I offer this thought: maybe it is time for Satan make an appearance at an Oreilly conference.
Ruby vulns: its been 3 years in the making
After a busy weekend, I come back to the magic of RSS to find multiple security holes in Ruby. I had heard about this last week but could not find any details. It seems that more information comes in the form of an Apple Security team member, Drew Yao, who made the discoveries. You can read more about it at Matasano or from ruby-lang.
These finds are very cool and I have always been interested in bugs in interpreted languages mostly because people think they are a “more secure” standard by some folks because they think the memory corruption angle is no longer an issues.
The first time I saw anybody publicly talk about this problem and a potential attack was Blackhat Tokyo by Dom Brezinski. Actually when I say “I saw the talk” I mean I was sitting next to him in the speaker room discussing the problem afterward because I was giving a talk opposite of him on how to break security tools. The previous statement is to head off the trolls who will undoubtedly comment about my lack of actually seeing the talk because I was scheduled at the same time.
These finds are very cool and I have always been interested in bugs in interpreted languages mostly because people think they are a “more secure” standard by some folks because they think the memory corruption angle is no longer an issues.
The first time I saw anybody publicly talk about this problem and a potential attack was Blackhat Tokyo by Dom Brezinski. Actually when I say “I saw the talk” I mean I was sitting next to him in the speaker room discussing the problem afterward because I was giving a talk opposite of him on how to break security tools. The previous statement is to head off the trolls who will undoubtedly comment about my lack of actually seeing the talk because I was scheduled at the same time.
Friday, June 13, 2008
Verizon 500 breach report
Verizon has published a study of 500 investigations over the last 4 years. There are some obvious flaws (pie charts are never a good sign), but it's got a lot of useful content. The industry is full of misconceptions because people don't pay attention to what's really going on out there. This report has data the answers a lot of questions.
Misconception: "the standard way to take control of someone else's computer is by exploiting a vulnerability in a software program on it"
Verizon data: Only 15% of breeches where from hacking software vulnerabilities.
Misconception: Hackers target their victims.
Verizon data: 85% of attacks were "opportunistic", the hackers didn't know who their victims were until after they broke in.
Misconception: Certified anti-virus products detect over 99% of all viruses.
Verizon data: 25% of viruses/malware were customized to their victims and undetectable with standard anti-virus.
Misconception: Hackers are smart, clever, geniuses, wizards, etc.
Verizon data: 55% where of attacks required essentially no skills, the level of "script kiddies" running automated tools. Only 17% required "advanced" skills.
Misconception: It's the insider threat. No, wait, it's outsiders. No, I mean, it's the partners.
Verizon data: 73% external, 18% internal, 39% partners. However, external breaches tended to be minor, whereas internal and partner breeches were major. Their numbers show that all three are important threats and that it's hard to measure which one is worse.
Misconception: Numbers are definitive.
Verizon data: These numbers are bit subjective. For example, they notice that "physical breaches" were rare, but that's because Verizon wouldn't be called in to investigate a physical breach.
Question: What are hackers after?
Verizon data: Credit Card data (84%), Personal identity (32%), Username/passwords (15%)
Question: How old are the vulnerability exploits hackers use?
Verizon data: 71% older than 1-year, another 19% older than 6 months.
Misconception: "the standard way to take control of someone else's computer is by exploiting a vulnerability in a software program on it"
Verizon data: Only 15% of breeches where from hacking software vulnerabilities.
Misconception: Hackers target their victims.
Verizon data: 85% of attacks were "opportunistic", the hackers didn't know who their victims were until after they broke in.
Misconception: Certified anti-virus products detect over 99% of all viruses.
Verizon data: 25% of viruses/malware were customized to their victims and undetectable with standard anti-virus.
Misconception: Hackers are smart, clever, geniuses, wizards, etc.
Verizon data: 55% where of attacks required essentially no skills, the level of "script kiddies" running automated tools. Only 17% required "advanced" skills.
Misconception: It's the insider threat. No, wait, it's outsiders. No, I mean, it's the partners.
Verizon data: 73% external, 18% internal, 39% partners. However, external breaches tended to be minor, whereas internal and partner breeches were major. Their numbers show that all three are important threats and that it's hard to measure which one is worse.
Misconception: Numbers are definitive.
Verizon data: These numbers are bit subjective. For example, they notice that "physical breaches" were rare, but that's because Verizon wouldn't be called in to investigate a physical breach.
Question: What are hackers after?
Verizon data: Credit Card data (84%), Personal identity (32%), Username/passwords (15%)
Question: How old are the vulnerability exploits hackers use?
Verizon data: 71% older than 1-year, another 19% older than 6 months.
Sunday, June 01, 2008
Yellowcake and SCADA
Back in January, CIA "senior analyst" Tom Donahue published this:
These claims are highly suspect.
What does "we have information" mean, exactly? Does it mean that the CIA (and Tom Donahue in particular) have themselves analyzed the facts? Or does it mean they are passing on rumors they've heard from foreign officials?
I've talked to foreign government officials about similar sorts of incidents AND have analyzed the facts. I find that the story gets increasingly mangled the further it gets passed around through government channels. What starts as a simple computer malfunction or operator error quickly gets blown up into a "hacker attack from the Internet".
I've heard of an incident where a hacker had caused a blackout and demanded random money to stop. It was later discovered that the "Internet hacker" was actually being helped by an insider. Both guys were caught and sent to jail. Thus, what appeared to be a hacker attack was in reality an inside job. This tale sounds suspiciously like the one above. The only difference is that my tale has an ending; the CIA's version does not say whether the ransom was paid, if the perpetrators were caught, or what happened. My knowledge of this incident is also second hand, so it may be no more accurate than the CIA's version, but I doubt it's less accurate.
The biggest problem is the CIA's claim that they don't have any details except for the fact that the intrusions involved the Internet. In the real world, this would be the fact they would least likely to know for sure. The computers that control power grids are not connected directly to the Internet. They have private address (like 10.1.2.3) that aren't routable. In order to get to these machines, you must first break into bastion hosts. The result of this is that when hackers cause power outages, it's unlikely that you would be able to conclusively trace it back to an Internet hacker.
Hacking is as little understood today as witchcraft was in the 1600s. In much the same way that witches were blamed for unexplained incidents, hackers are blamed for anything unexplained today. The average corporate network is already infected with hackers in some fashion, so investigations into the unexplained will likely find signs of hacker activity. They might conclude that a hacker was therefore responsible for the power outage because office machines have been infected with a virus, even when the two cases are unrelated.
What we have here is just another example of the yellowcake scandal. In that case, the CIA confidently claimed that Iraq was trying to buy uranium from Niger. It eventually turned out that their claims were based upon rumors and (obviously) forged documents. This is another instance of the CIA putting their reputation behind dubious data.
SIDENOTE: Many of the countries the CIA is talking about still believe in witchcraft. Unexplained crop failures can still lead to witch-trials and resulting hangings - conducted by government officials.
"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
These claims are highly suspect.
What does "we have information" mean, exactly? Does it mean that the CIA (and Tom Donahue in particular) have themselves analyzed the facts? Or does it mean they are passing on rumors they've heard from foreign officials?
I've talked to foreign government officials about similar sorts of incidents AND have analyzed the facts. I find that the story gets increasingly mangled the further it gets passed around through government channels. What starts as a simple computer malfunction or operator error quickly gets blown up into a "hacker attack from the Internet".
I've heard of an incident where a hacker had caused a blackout and demanded random money to stop. It was later discovered that the "Internet hacker" was actually being helped by an insider. Both guys were caught and sent to jail. Thus, what appeared to be a hacker attack was in reality an inside job. This tale sounds suspiciously like the one above. The only difference is that my tale has an ending; the CIA's version does not say whether the ransom was paid, if the perpetrators were caught, or what happened. My knowledge of this incident is also second hand, so it may be no more accurate than the CIA's version, but I doubt it's less accurate.
The biggest problem is the CIA's claim that they don't have any details except for the fact that the intrusions involved the Internet. In the real world, this would be the fact they would least likely to know for sure. The computers that control power grids are not connected directly to the Internet. They have private address (like 10.1.2.3) that aren't routable. In order to get to these machines, you must first break into bastion hosts. The result of this is that when hackers cause power outages, it's unlikely that you would be able to conclusively trace it back to an Internet hacker.
Hacking is as little understood today as witchcraft was in the 1600s. In much the same way that witches were blamed for unexplained incidents, hackers are blamed for anything unexplained today. The average corporate network is already infected with hackers in some fashion, so investigations into the unexplained will likely find signs of hacker activity. They might conclude that a hacker was therefore responsible for the power outage because office machines have been infected with a virus, even when the two cases are unrelated.
What we have here is just another example of the yellowcake scandal. In that case, the CIA confidently claimed that Iraq was trying to buy uranium from Niger. It eventually turned out that their claims were based upon rumors and (obviously) forged documents. This is another instance of the CIA putting their reputation behind dubious data.
SIDENOTE: Many of the countries the CIA is talking about still believe in witchcraft. Unexplained crop failures can still lead to witch-trials and resulting hangings - conducted by government officials.
Subscribe to:
Posts (Atom)
