“Secure Code” Will Save Us — Right????????

I know we have always preached that application security is much more cost effective when it is baked in. But, the reality of today’s application horizon is that security is an afterthought, at best, for a majority of web applications. A variety of reasons ranging from inexperienced developers to legacy technologies and from apathetic customers to security issues in core technologies have made this so. In fact, in our application security testing services we often encounter applications in production environments that fail to protect against attacks from 10 years ago!

The average development team we work with seems to be interested in fixing the problems, but often lack the basic understanding of how common attacks like SQL injection and XSS work. Without a basic understanding of the threats, how on earth can they be expected to protect against them? Recently, we spent more than four hours explaining the white list vs black list approaches to a certain development team who shall remain nameless. It took almost a half day of conference calls and email exchanges for them to understand how these basic approaches to filtering user input could be employed to protect their application against input validation attacks. It was not that they were not trying. The problem seemed to be that their application was developed by a small group of intern level programmers and the team members with real programming experience (the one(s) who had done the engineering and application design) were long since gone from the company or reassigned to other projects. Without experienced oversight and guidance, the interns had produced working code for sure, but without any underlying controls, security, availability or reliability!

Today, if we look at the marketplace, there are a ton of solutions attempting to bolt on security after the fact. Everything from code scanners to web application firewalls are emerging as controls to help organizations deal with web application security. One of the big problems with these technologies is that they require changes to the underlying source code, logic or web server environments. At the very least, WAFs act as a filtering device at the protocol layer, and many applications simply perform unreliably when a WAF is “protecting them”. What we really need is a reliable way to add security to web applications without changes to protocols, environments or logic.

Of course, the ultimate argument is that what we really need is secure code. I have read a lot of security pundits lately talking about how “secure code” is the solution. “Secure code” has become the latest battle cry, silver bullet, smoke and mirror trick and marketing hype. However, “secure coding” is not easy. It is not immediately available for most organizations – there is no switch to flip on your developers to make them churn out “secure code” – there is no ONE class or seminar you can send them to make them write “secure code”. Instead, it takes ongoing education, updates to existing code tools, frameworks and development environments. It will be a long, slow process. It will be a human process and it will be expensive.

Even then, once we get all of our programmers making “secure code”, there will still be problems. New attack formats will arrive. Legacy applications will still have old issues – some may be rewritten, but it won’t be cost effective for all web applications. New technologies and web enhancements will certainly degrade the security posture of even today’s most hardened web application. In other words – as you have heard me say before – Security is a journey, not a destination. We won’t get all of our code secure. We will never cross the line when all web apps are safe. We will simply move closer to a time when a majority of web applications are secure enough to meet our level of risk tolerance. Even then, that moment is likely fleeting. The center will not hold. The universe breaks down upon itself. Entropy is a true constant in the universe, even the security universe. The center will just not hold……

[Tangent] Can infosec VARs Really Make an Evangelical Sale?

We have been having quite a struggle finding infosec VARs to resell our HoneyPoint products. The problem seems to be that HoneyPoint and the idea of a Next Generation Distributed Honeypot product are such a radical concept to most organizations that they require evangelism and education for the customers to understand the value of the product and why it is a better solution that they are using now. It usually takes a while for them to understand that they can free themselves from false positives and the overhead of many of the detective tools they are using today if they simply embrace the idea of thinking differently about the problem.

VARs today seem to be focused solely on the products that are demand driven. They want to sell the Cisco products, the copies of anti-virus and the stuff that clients are already used to asking for. The days of VARs looking for ways to shake up the markets, establish value with fresh approaches and build their businesses by leveraging rapport with their customers by solving their deeper problems seem to be all but gone. Sure, you can find VARs to resell your widget or appliance if you have a model that requires little work, even if it has a small margin. But, it seems like finding evangelical VARs is nearly impossible in today’s market. If they are out there, we don’t seem to be able to find them.

I really feel like that is a bad thing for the market and for the clients. In the early days of MSI and the security industry, there was a lot to be gained by being a VAR that was able to bring bleeding edge solutions to customers. I can remember working with clients to help them understand new protective technologies like the Sidewinder firewall from Secure Computing, Real Secure from ISS and spending a lot of time traveling, talking to clients and listening to them explain the things that hurt them – then digging into the net and our brains for REAL, DEEP solutions that addressed the root problems that they were experiencing. For me, at least, that was the exciting thing about being a VAR – finding that next breakthrough that could really empower some of my clients in a way that they may not even have known that they needed until we showed them that a better way was available. That was exciting, fun and really gained us the trust of organizations who have been clients for nearly two decades now.

If there are any VARs out there that you think fit this model, I would like to hear about them. I would love to find a few folks who are willing to help evangelize what is clearly a better solution to the insider threat and to securing virtual environments. I would like to work with someone who shares that energy, passion and willingness to help solve deeper problems than traditional “network gear” resellers will ever be able to uncover. If you’re out there, give me a call – I think we have something to talk about…

Myriad of Ways to Trigger Internal DNS Recursion – Please Patch Now!

For those organizations who have decided not to patch their DNS servers because they feel protected by implemented controls that only allow recursion from internal systems, we just wanted to point out that there a number of ways that an attacker can cause a recursive query to be performed by an “internal” host.

Here is just a short list of things that an attacker could do to cause internal DNS recursion to occur:

Send an email with an embedded graphic from the site that they want to poison your cache for, which will cause your DNS to do a lookup for that domain if it is not already known by your DNS

Send an email to a mail server that does reverse lookups on the sender domain (would moving your reverse lookup rule down in the rule stack of email filters help minimize this possibility???)

Embed web content on pages that your users visit that would trigger a lookup

Trick users through social engineering into visiting a web site or the like

Use a bot-net (or other malware) controlled system in your environment to do the lookup themselves (they could also use this mechanism to perform “internal” cache poisoning attacks)

The key point here is that many organizations believe that the fact that they don’t allow recursion from external hosts makes them invulnerable to the exploits now circulating in the wild for the DNS issue at hand. While they may be resilient to the “click and drool” hacks, they are far more vulnerable than they believe to a knowledgeable, focused, resourced attacker who might be focused on their environment.

The bottom line solution, in case you are not aware, is to PATCH YOUR DNS SYSTEMS NOW IF THEY ARE NOT PATCHED ALREADY.

Please, do not wait, active and wide scale exploitation is very likely in the very near future, if it is not underway right now!

Project Pre-Release – Vulnerabilities in Popular Content Management Systems Under Study

Over the next few weeks you will see more details from us about a project that we have been working on. As a part of our relationship with Syhunt, one of our elite partners for application security work, we have been testing and reviewing their new tool, Sandcat4PHP. The tool is a sophisticated and user friendly source code scanner for performing deep analysis of PHP applications including their surrounding javascript and HTML components.

Stay posted here for a pretty in-depth review of the new tool, its use and capabilities. We will be doing that review as a part of the project as well.

First, let me start with the purpose and the scope of the project. In the last few months we have worked with a number of clients who have had issues with the security of their content management system. More than a few of them are using popular products, but several are using proprietary tools as well. As such, we have worked on a few incidents and application reviews. That led to a pretty in-depth discussion between a couple of clients and ourselves about the state of content management system security, in general. As an off shoot of that discussion, we decided to test 5 of the most popular content managers using the new Syhunt PHP scanner, since we needed to review it anyway.

Next, we obtained a couple of lists of popular content managers. Selecting our five was pretty easy and we settled on the following:

WordPress, Joomla!, Mambo, Drupal and BitWeaver

We then downloaded the current versions of the CMS (as of that day, a couple of weeks ago…) and set up our testing environment.

We assessed the entire package, but only as downloaded from the web site. That means in most cases, that we tested only the core components and not any additional modules, plugins or components. We considered whatever was in the default download to be the basis for our work.

To date, we have begun our assessments and review of the CMS tools. We will be in contact with each of the CMS projects about the findings of the assessments and they will receive the details of the tool’s findings prior to public release of the technical details. Statistical and numeric data will also be forthcoming.

For now just let us say that we are evaluating our findings and that the tool performed very very well.

I look forward to sharing the details with everyone in the coming days.

Let me know if you have any questions about the product, the project or the work.

SHOCKER – The FBI says Wi-Fi Hotspots are Insecure!!!

It’s hard to believe, but the FBI has recently announced that Wi-Fi Hotspots might not be secure.

I read it here, so it must be true… 😉

In a way I am glad to see public notices like this. Maybe if the FBI draws attention to the problems, average people will pay attention to the solution. Of course, their mitigation suggestions include the “keep your computer patched, use firewall and encryption” routine.

The sad part is that you can do all of these things and still fall victim to a number of security issues such as dns poisoning, DHCP spoofing, social engineering and a myriad of other problems. I guess that is a perfect reason why we push so hard for average folks to use our HoneyPoint:Network Trust Agent product. At less than 10 bucks, it adds yet more capability and ease of use to protecting even non-technical users when they are on untrusted networks, including wi-fi.

Public networks are likely to remain unsafe for users who are not vigilant for a long time to come. Firewalls and patches can help keep them safe, but until they make better decisions about information security and can resist many of the basic attacks that leverage social engineering and the like, free wi-fi will likely be a cyber-wild west for a while longer.

If you want to hear more about protecting mobile users against public network threats, drop us a line. Until then, we will wait to hear from the FBI. Maybe they can help us get the word out that there is help available for wi-fi users.

Time to Play Some Offense…

To quote, Allan Bergen, it sure looks like it might be “time to play some offense”…

Not surprising to me, I read today that the primary security concern of IT managers is the inside threat. It doesn’t surprise me because I have been working on educating organizations for several years about the seriousness of the insider threat. In fact, I would suggest that there are very very few threats that are NOT insider threats. Why? Because there really is no inside or outside. Thanks to disruptive technologies and evolved attacker capabilities – just about everything is exposed to attack. Just ask some of the recent vendors who were compromised in high profile “PCI-related” cases how well they feel that their “perimeter security” protected them…

The truth is, there are three powerful things that can be done to combat modern attacks, whether internal-based or executed by attackers half a world away.

1. Implement and enforce data classification – Know where your critical assets are, how they move around your environment throughout their lifecycle and then use tools like access controls, encryption and integrity verification to make sure that they are protected. Use logging analysis and event management to detect issues and make sure all of the controls, including role-based access controls, are HEAVILY and PERIODICALLY tested.

2. Embrace enclaving – Enclaving is like defense in depth throughout the whole network. Establish proper need to know boundaries, then build enclaves of security mechanisms around the data. Don’t build networks that trust user workstations with access to databases and other servers, segregate them with firewalls, detection mechanisms and access controls. Build as much security for the users as makes sense, but design the environment so that if users make bad decisions (which they will) and get popped – so what! Client side exploits and malware are only a concern if users have access to inordinate amounts of data. The problem is making sure that you get your controls and practices tight enough to limit the exposure that user compromise presents. That alone should go a LONG way toward minimizing your risk if done properly.

3. Move up the security stack to Threat Management and Risk Assessment – Use processes like risk assessment as a factor in business decision making. Security can truly empower business, but you have to let security teams stop being the “patch patrol” and “net cop” and let them get to actually helping you manage risk. They have to be able to identify threats, model threats and understand attacks and exposures. That requires education, dependable tools and upper management support. Encourage your security team to mature and begin to take real-world risk into consideration. Help them to resist the cult of the arcane technical security issue…

Of course, MicroSolved can help you with all three of these areas. We have the experience, insight and expertise to help you build effective enclaves and design data classification systems that make sense. We can help your team find security assessment goals that make more sense and provide ongoing assessment to keep them focused on the real-world risks. Our HoneyPoint products can help them model threats, frequency of attacks, understand the capability and intent of attackers and even give them deep insight into proactive risk metrics that they can leverage for “more science than academic” metrics of risk measurement. All of these things help your organization protect against the insider threat. All of them are available today.

The bottom line is this – if you are an IT manager looking to defend against the insider threat – give us a call. Together we can apply these strategies and others that your organization may need to effectively manage their risk and protect their assets.

At MicroSolved, we think differently about information security. So should you.

Spam from a Security Vendor

I really wanted to call this post How NOT to Sell Your Scanning Tool to Other Security Companies, but it seemed a little long.

Great….. That’s really just what you want to see…Looks like it went out to all PCI ASV companies. Fantastic, now I get spam based upon the PCI vendor list… I guess there is irony in the security business after all…

So, today, I was lucky enough to get spam from another security vendor with an offer to tell me all about how their company and tool can really help us be a better PCI ASV. I thought I would include it here, with some relevant commentary…

My name is Bob XXX and I am responsible for XXX PCI Compliance Partner Program.

Hi Bob. Just in case you are new to the security world, spam is not really cool and uninvited emails, especially those without an opt-out mechanism (like this one…) are really not much different than the guys selling V1agr4 and other junk via email. It basically uses other peoples’ time and resources without their consent…

A number of PCI ASVs use XXX products and services as a basis for their PCI Scanning offerings for the following reasons:

Wow! This is a great point. So, I can use your tool, just like other ASV providers and have even LESS to set me apart from my competition on the race to FREE scanning for PCI compliance. Ummm, thanks…

XXX PCI Scanning Solution

Wait for it… Here it comes…. The long list of “benefits” to me as a security provider…. Right….

… Is a leveraged investment providing unlimited scans and not a pay for every scan expense.

Well, at least I only have to pay for it like regular software and not that pay as you go model. Ummm… How is this a benefit for ASV companies? How is this different from Nessus and the plethora of other scanners that don’t follow the “Comodo model” (wait… aren’t they FREE for PCI scans now???)?

… Can accurately identify over 17,000 conditions which can decrease analyst review time; reducing time and cost.

I always love these numbers… Our toolset checks for more than 20,000 security issues… I hate adding these in, but a lot of clients always ask for them….Also, a definition of “accurately” would be appreciated. If you are suggesting that your tool has 17,000 checks that don’t create any false positives then I would say you are delusional. Be truthful, you say it reduces analyst time, but if an analyst still has to check them then we are again back to the definition of “accurate”…

… Is based on XXX XXX, a commercially available product, with ongoing investment in research and development to insure it is the most robust and accurate solution available.

So, “commercially available” translates to “better”? I would love to see you argue this with several security folks I can think of. How does commercial availability translate to quality? Are you implying that open source or propietary solutions are lesser because of their availability and lack of commercial cost? Is Linux less “robust and accurate” than Windows because it is open source or does the fact that Redhat sells a version of it make it more “robust and accurate” since it is commercial???

… Is supported by XXX’s award winning customer support organization.

Good. I am glad to hear you have won awards for support. How much support does the product need? Oh, wait, I think I see your implication – it’s that open source thing again isn’t it? Exactly what products are you attempting to compete against? I mean Nessus, which I would assume to be your primary target, has support too if you purchase the product. My guess is that this is a stab at the customer emotions and fears of newsgroup and mailing list support. Is that still an issue? I mean, especially since ASV companies are supposed to be the experts with their scanning tools, how does this translate to something I should be concerned about? Don’t my technicians know their tools well enough to not need the usual technical support?

… Can provide a strategic foundation for other revenue generating services such as
Ø Web Application Scanning
Ø Vulnerability Risk Management Scanning
Ø Configuration Compliance solutions

Now this is interesting… At first, I took it to mean that the tool did all of this… But it just says that it provides a “strategic foundation” for generating revenue from other services… What exactly is “Vulnerability Risk Management Scanning”? How is that different from traditional vulnerability scanning? Does it measure, quantify or create metrics somehow that communicate real-world risk, or is this just the usual H/M/L stuff like always? As for the revenue, would that be revenue for the ASV or for XXX? Both? On the good news front, I am pretty glad to see that you mentioned scans for web application issues, that is a good thing and at least you got this right…

I would like the opportunity to discuss your current solution and answer any questions about XXX to determine if we are an attractive alternative.

If you are interested in learning more, please respond to me so we can coordinate a day/time for a phone conversation.

Ummm…. Thanks, but no thanks. First, my company is an ASV. To become an ASV we had to do some scanning and testing. Thus, we already have tools. We also already appear to have tools that are superior to yours, at least in our opinion.

But, the number one reason I would not buy from your company is that one of the first rules of e-commerce security is don’t purchase things from unsolicited emails; it only encourages more spam. In addition, it just doesn’t fit my ethical compass to support security vendors who would engage in “spammy practices”. Good luck, Bob, but I think you might want to think about your email marketing approach a little bit more…

The “TSA Week at a Glance” Content – Huh???

This just in from the “No, we swear this isn’t propaganda” department.

The TSA seems to have added a section to their web site where you can keep tabs on just what they have been up to this week. You can check it out here.

As of this moment, here is what they have been doing so far this week:

* 15 passengers were arrested due to suspicious behavior or fraudulent travel documents

* 18 firearms found at checkpoints

* 12 incidents that involved a checkpoint closure, terminal evacuation or sterile area breach

* 16 disruptive passengers on flights

So, basically, according to those figures – they apparently have worked 61 “incidents” this week alone. Unfortunately, what they don’t seem to show is a graphic that shows where this lies as a historical piece of data. Wouldn’t it be whiz bang cool if they had a graph that showed historic trending? Maybe they could also do some sort of predictive “threat radar” that could turn various colors and make beeping sounds when they think more disruptive passengers are expected- like say the next time airlines go out of business, strand travelers, treat them without dignity – oh wait, that seems to be usual air travel today. No wonder they don’t have any sort of historic metrics…
I also particularly liked the large window at the top of the page that currently says something to the effect of “Chilling details have emerged about a trans-atlantic terror plot.” I am pretty sure that’s what I want to read from the TSA – horror stories. Is it just me or does this stuff seem like maybe it belongs someplace else? I really don’t want to view that material from the government group that’s supposed to protect me. Sure, you have the details. Sure, you might even have caught them, but I also think it induces more fear than it calms and reassures.
Hey TSA, how about a lot less marketing and a lot more focus on the presenting the details that we NEED TO KNOW. Please, refrain from using FUD to justify your presence in our lives and your budget dollars. Thanks!!!

Patent Wierdness and the Security Market

CrowdedMarket.jpeg

So I was doing some patent research today and I have to say that some of the patents out there for information security are pretty weird.

I found patent applications for wireless access points that turn on radio jammers in response to attacks (thus blocking even legitimate users), ethernet cables that can be colored with special markers depending on the security of the system they are attached to, a physical key-based device that controls an ethernet air-gap and even a patent application that was denied for patenting the word “security”.

I had no idea that so many things had been patented, or attempted to be patented. Maybe I am not a “patent insider” – but a lot this sounds like junk, bad infomercials and “seen on TV” security products.

I think I should find a VC and maybe patent the special “security gnomes” that some software vendors believe protect their software from well-known exploits. Or the “magic security dust” that some managers believe allows them keep their data protected without investing in any real security staff or initiatives. If those don’t work, maybe I will patent some sort of “cyber-ninja” that seeks out and destroys cross-site scripting vulnerabilities and SQL injections. Why not? It might be as effective a control as colored ethernet cables…

For a couple of years now, Allan and I have been talking about just how noisy the information security market has become. Even after a large consolidation phase, there are still a bunch of vendors, some selling solutions and some selling snake oil. The average IT manager is probably getting 10+ calls a day from vendors selling them everything from firewalls to NAC and from AV software to USB blockers. No wonder average security consumers are having so much trouble knowing the real from the hype!

I didn’t start this blog post to be a rant or anything, but the oddity of the patent searches really left me in awe. The security space is crowded, noisy and a lot like a downtown Delhi market. There are exotic spices, rarities and a number of arcane items everywhere you look. Hopefully, there are also some honest to goodness, back to basics solutions mixed in too. Your mission, should you accept it, is to sort them out…

Cisco Embraces the Scheduled Patch Cycle – Ummmm, Twice a Year???

Well, I think we all knew it was coming. More and more vendors are moving to the scheduled patch cycle instead of releasing as-needed patches. This both a boon and a disaster, depending on your point of view/level of risk tolerance.

In this article, Cisco announces that they will now release their patches every 6 months. I suppose they consider twice a year patching to be enough for the critical components of the network such as routers, switches and other devices. Heck, they are even going to move Linksys patching to every 6 months, so the home users of the product line can ignore them 2 times per year, on schedule, instead of ignoring the patch releases all “willy-nilly” like they presently do.

Why do all the vendors think scheduled patching is such a good idea? I suppose the only answer is that it helps them better schedule their own resources and such, since it CERTAINLY CAN’T BE ABOUT MINIMIZING THE RISK WINDOW BETWEEN VULNERABILITY DISCOVERY AND MITIGATION. Resource scheduling is also the most common cause I hear from IT folks who support this process of patch releases. I just hope that we can convince attackers to manage their resources a little better too, since it would be very nice if their vulnerability research, exploit development and wide-scale attacks could magically coincide with the appropriate patching processes. Then everything would be better for everyone and the world would be a very nice place indeed…

The problem is, the real world just doesn’t work like that. Exploits and vulnerabilities will continue to be discovered in real time, just as before, except now attackers will know the timeline for the value of their new attacks. In many ways, this serves to bolster the underground economy of attack development since you don’t need 0-day for Cisco products, 179-day exploits will do just fine!

I get the desire of IT and vendors to stabilize their work forces and to better schedule and manage their resources. I really do. Police would like to be able to schedule crime as well, so that they could have weekends and nights off to spend with their families. But, being a law enforcement officer comes with some requirements and schedule flexibility is one of them. The same goes for IT folks. In my opinion, scheduled patching, especially patching every 6 months, is simply a reinforcement of traditional IT thought processes. If my readers know one thing about the MSI vision, it is that thinking differently is the key to information security, since what we are doing to date does not seem to be working so well.

Cisco is a huge company. I know many consider them to be unresponsive to customer concerns, but I truly hope that IT professionals reach out to them on this and that they listen. Cisco devices truly do form the core of many, many, many networks. Their products literally power much of the Internet as we know it today. That gives them immense power, but also makes them a HUGE target. Given their critical role, six month patching just does not seem to be a reasonable solution to me. If you feel the same way, let them know!