Keeping It All Straight – Security Management Tip 101

One of the questions I get from clients is how I stay on top of so much stuff all the time. If you read this blog, you know we track emerging threats, identify new vulnerabilities, develop software, oversee our HoneyPoint deployments and run the whole security services company. That can be a lot of detail to manage, but it is doable with a system of methodologies, careful attention to detail and some good tools.

Today, I wanted to talk about a couple of the most useful tools that I use every day. They are very powerful and common, but they combine to be one of the most useful tools in my security management arsenal. Are you ready for the secret?

The big secret weapons are my cell phone (a Treo 650) and!

That’s right. My cell phone is a smart phone that is integrated into my management process. I can use it to send and receive email, keep my schedule and to even write blog entries like this one on the go. Often I use it to do quite a bit of writing, from emails to articles. It is a very powerful tool indeed. But, when you combine it with – it makes a world of difference.

For those of you not familiar with yet, it is a free service that lets you register a cell phone and obtain a number that you can call. When you call the service, you can “Jott” to yourself, or others if you share your address book with the service. (Hint: Read the Privacy Policy carefully before you share your addresses!)  Jotting to yourself or someone else converts your voice message or content to text and then emails both a digital recording of your message AND the associated text to the email you assign to yourself or the member of your shared address book! What makes this so powerful is that the ease of communication and style make it a very useful and rapid way to communicate.

Jotts can be long, short or pretty much anything in between. You can dictate a quick blog post, an email or just an idea to be pursued later. At MSI, we use these tools to quickly write content for WatchDog, the blog and email communications with clients. I use it to rapidly outline agendas for meetings or to establish on the fly scope of work documents that the technical or sales team can use to do business. Overall, used together, these tools really help me communicate and manage ideas, multiple forms of media and my team in a more rapid and easy fashion. Used carefully, (again, read the privacy policy), the tools can be leveraged for some amazing things. Don’t be afraid to give them a try, or to think outside the box for how to apply them to your own tasks.

4899/TCP Probes Still on the Increase

MSI continues to see increasing scans for vulnerabilities associated with port 4899/TCP. These scans are attempting to identify a particular product and gain access to the system through a known exploit.

Please verify that you have eliminated all traffic from the public Internet destined for this port. The original vulnerability has been around a while, but increasing blocks of IP addresses in EMEA are propogating the malicious traffic.

File Cabinet (In)Security

I have been toying with lock bumping since it became a national hot item a few months back. If you have not heard about it yet, check out the basics here.

OK, so a lot of this is overblown and the hype is pretty high to cause Mom and Pop to panic and buy some new locksmith services and products. I get it. I really do.

I also realize that the actual threat has been around a long time, and that criminals have known the technique for a while. I too have read that there has been little significant increase in break-ins since the lock bumping technique made headlines…

That said, I have been focusing on the long beloved friend of accounting folks everywhere – the venerable locking file cabinet. Best-practices for securing offices and accounting departments have long held that locking a file cabinet or desk drawer was a pretty decent layer of protection for the contents. Unfortunately, lock bumping very much changes that perspective.

I have attempted to bump quite a few file cabinets and desk drawers over the last few months. I am averaging in the 90th percentile in terms of gaining access. In many cases, it takes just about the same time as using the real key and I easily gain access to the contents to do with as I may.

How serious is this? Well, it makes much of the physical security associated with open cubicle environments suspect. Public access to receptionist desks and the like have proven pretty fruitful – including the usual suspects of phone lists, password lists and other generally attacker friendly items. Not to mention the items available for outright theft – often including just plain money…

The old rules of physical access trumping many security mechanisms still exist. Lock bumping techniques are just the newest way to reinforce the lesson. If you have not taken a good look at your file cabinets, desk drawers and the availability they might have to an intruder with a simple bump key – it might be time to at least think about it. Especially sensitive materials like regulatory data, personnel data and the like may have to be given some other special protections if your relying on rows of locked filing cabinets to secure it.

Ouch! 42 Web Vulnerabilities in an Hour!

As an exercise last week, 5 members of the MSI penetration testing team got together for a lunch hour exercise. The results were well worth noting.

In just under 1 hour, the team set forth to find out how many web-based application security issues they could identify in public sites. The rules were that they could not use any search engines, scanning or tools except the browser. Obviously, they could only footprint for the vulnerabilities and not verify or exploit them. However, since foot printing the presence of application issues is usually quite accurate, the data should be viewed as serious.

The sites they could target were also focused to common sites, and the list was adaptive – for example, several times they would find that several types of sites would be vulnerable, after they had identified a few of those types of sites, then further counting those types of sites would be off the table, so to speak. This ensured that the gathering did not get focused on specific types or trends of sites.

The team had decided beforehand that they would focus on three specific types of web-application issues: SQL injection, bad error pages that leaked too much information and cross-site scripting. All three of these issues are contained in the OWASP top 10 vulnerabilities.

Here is what they found:
•    12 bad error pages – we were surprised there were not more of these, but a dozen was bad enough and we were pretty stringent on what qualified, the leaking data had to be pretty egregious.
•    2 SQL injections – one revealed an underlying MySQL database in the error message, the other showed an ODBC error and revealed some source code for a connection to Microsoft SQL Server.
•    28 cross-site scripting issues – these were found so often that they kept us hopping to keep count of them, it seems that many many common sites suffer from XSS vulnerabilities. It is no wonder attacks leveraging them have become so common.

There you have it – 42 vulnerabilities in under an hour! Some of the sites identified were government sites, popular retailers and all kinds of other sites. I guess it just goes to show that we still have some to work to do…

TSA on Saturday Night Live

If you have not seen this yet, it is a pretty funny piece about just how stupid some of the TSA travel rules are. I have been railing against the security through theater of the TSA routines and the seeming madness of some of their decisions, bad moves and general practices for some time now. I truly believe that much of their efforts have been in vain, and that very few of their moves have truly significantly lowered any overall risks.

But, so I don’t get off on a rant here, take a just under 5 minutes and enjoy the humor!

SNL Video from YouTube!

US Government Lacks Security By Example

I have been paying attention to the way the US Government has been managing their cyber-security lately. I guess, since they have such a large responsibility to maintain security that I continue to be amazed at the poor examples that they set for others. How in the world can they expect organizations and businesses to maintain security when they cannot seem to do it themselves, even in the most critical of circumstances?

As an example, here is a recent article in the news about the TSA (a division of Department of Homeland Security) losing a hard disk full of employee private data. The identity of TSA employees, given their mission critical role in the War on Terror, I would assume is a fairly important piece of data for TSA to protect. How can government staffers and Congress rail against organizations losing back-up tapes and databases of information when the very people who are supposed to protect us show an example so egregious as this one?

I was reminded of this topic yesterday when on a visit to a website that is managed by the US Secret Service, I cut and pasted the URL between virtual machines in one of my virtual labs. In the cut and paste mechanisms, unbeknown to me, some character encoding was performed and the URL I was attempting to view got munged. Much to my shock, the web site in question spits out an incredibly in-depth application error page! The error page was a default .NET error page that revealed code, specific version information about the server, the applications and the environment. Now many of you might say “So what?!?”. Well, my answer to that is that bad error pages that display too much information are a basic component of the OWASP Top Ten issues that define the most common security baseline for web-based applications and web servers. Why in the world would an organization with the security requirements of the US Secret Service be missing such a simple issue? I can only hope (though I seriously doubt) that it is because they have performed an adequate risk assessment and identified this specific server as being of such a low risk that simply configuring it to spit back a standard error page is not worth the effort. How likely do you think that might be?

If you do some simple Google searches around US Government security, you will find all kinds of bad examples. I know that their attack surface is immense, their threat models are severe and that their resources are limited, but I truly hope they begin to address some of these basic issues. I really think they should be in a position to set an example of proper security and data protection and be more of a role model for how it is done. I would much prefer that to the way it is now. What do you think?

Phishing Attack Circumvents Some Multi-Factor Authentication

A security researcher has revealed the details and mechanisms for a technique to circumvent multi-factor authentication on some banking and other web-applications. The attack depends on the fallback to a secret question type of authentication when no cookie or token is available for the user. The researcher has demonstrated using the technique to perform successful phishing attacks against some systems.

The attack heavily leans on the fallback mechanism that many organizations have put in place to allow customers to skip multi-factor mechanisms and resort to a single secret question – though it could also be used against sites that fallback to passwords or other single factor mechanisms. If your organization uses fallback access tools that are only single factor – this could be a serious risk to you.

The fact that the attack technique was made public means that copycat and attack evolutions are very likely. Certainly, we will see probes of authentication fallback mechanisms and web-applications go through yet another rise in probes and scans. The resources required to perform the attack vary little from traditional phishing, and any development required to code the proxy mechanisms is likely to happen fairly quickly.

Organizations should carefully inspect their authentication mechanisms and configurations and should consider eliminating single factor fallback if that is an option.

You can read more about the researcher, the attack and the mechanisms used here.

ISS & TippingPoint Spar Over – Shock! – Vulnerability Disclosure!

ISS and TippingPoint seem to be battling it out publicly over the ethics of hacking contests, buying exploits and responsible disclosure.

This is a discussion that has been a long time coming. Companies like TippingPoint and others who buy zero-day exploits and sponsor hacking for money contests and the like seem to be very shortly distanced from people or companies who release exploit code and tools that make attackers better at what they do.

I think that it is high time that someone holds the ethics of these firms and individuals feet to the fire, so to speak. How companies or people can create attack tools, sponsor the creation of zero-day attack code and teach attack techniques to the public while still saying to customers – “trust and pay us to protect you” seems pretty odd to me. It certainly makes me think of movies where small business owners pay large men with baseball bats for “protection”.

While the bat may have changed to computer code, I just don’t see how making attackers more effective, funding underground research and encouraging attacker behaviors are responsible, ethical and proper for those persons and organizations that claim to be out to protect businesses from such attacks.

Want to Know How to Improve Security Awareness – Just Ask!

I have been hearing a lot of questions lately about how to create effective awareness programs inside your organization. To most companies, this is a very difficult task. Here are three strategies to make this easier for everyone and a whole lot more effective than what you are likely using now:

1) Ask your employees. Hold a few round table sessions with various randomly selected employees. Stress to them the importance of information security awareness and ask them what they think would be effective to reach into their peers. You might just be surprised by what they have to say. Incorporate some or all of their ideas into your program, of course, with appropriate metrics and monitoring. Don’t be afraid to embrace these new mechanisms, they are often hidden gems.

2) Think like marketing. Stop thinking of security awareness as a security function. Only the message/content is security, the rest is plain old marketing. Include your marketing department in the process. Actively engage them in the process of selling security to your employees. It makes a world of difference. Also, on this note, make sure you support their efforts to tune and refine the message and profile the employee audience. Those traditional marketing approaches may seem fuzzy to security folks, but they are what clearly separate the wheat from the seed in this undertaking.

3) Embrace new technologies and multi-media. Face it, if posters and such worked so well, the problem would be solved already. The fact of the matter is, you need multiple forms of contact with the employees to cause change and sell them security concepts. The more mixed media and content with common themes, the better. This simply works. Think about it, again from marketing terms – does Coke just use posters to sell sugar water? No, they use a variety of media and messages with a common theme to get people to drink their products. Do what works; don’t be afraid to move beyond posters and meetings to really make awareness work for you and your organization!