I Totally Owned Your Grandma…

Posted in security with tags , , , , , , , on June 8, 2010 by hellnbak

This was originally written by me and posted here as a guest blog:

http://www.zdnet.com/blog/feeds/i-totally-owned-your-grandma-aka-social-networks-as-attack-platforms/2838

=========================================

Guest editorial by Steve Manzuik

Lately there has been a lot of attention given to various privacy issues of social networking sites.  Whether it is Google’s Buzz automatically adding anyone you have ever emailed to your follow list or the multitude of Facebook privacy concerns, it seems that all of a sudden the world is now worried about their privacy on the Internet.  While I can understand why some users wish to have their privacy, I do chuckle a bit inside when I hear people complain that they wish to have privacy on an open and public network.

While this blog post will not be specifically about privacy I do want to state that expecting privacy on the Internet is a bit misguided as no one has ever had privacy on the Internet ever.  Unless you are encrypting every little packet sent from your system, it has been read somewhere by someone for whom it was not intended.  Users are failing to make the connection between acceptable behaviors in the real world vs. acceptable behavior on the Internet.  If you want something to be private you wouldn’t yell it out in a crowded shopping mall, so perhaps you shouldn’t post it on a social networking site. Privacy issues aside, the real topics that interest me when it comes to social networking on the Internet is the various ways that social networking tools become attack platforms. During the recent privacy debates Mark Zuckerberg, founder of Facebook, was quoted in the Washington Post stating the following:

“Facebook has been growing quickly. It has become a community of more than 400 million people in just a few years. It’s a challenge to keep that many people satisfied over time, so we move quickly to serve that community with new ways to connect with the social Web and each other. Sometimes we move too fast.”

If you put yourself into the mindset of an attacker, does 400 million targets all centralized on one fast and ever-changing web application not sound like a great place to play?  Attacks via the Internet are nothing new, but over the last five years we have seen the intent behind attacks shift from mostly harmless annoyances to actual well-planned business models that give an attacker the ability to create an income from successful compromises.  Be that income from rented-out botnet cycles, from spam, theft of corporate secrets, or even the outright stealing of bank funds, today an attacker has the ability to make some real money.  Combine this ability with 400 million targets who are mostly non-technical and running ineffective host-based security solutions, and you have a breeding ground for malicious behavior.  Or, as my grandma likes to call it: “that Facespace thing on the Internet”.

Without getting too platform or site specific – because let’s face it, these days it really doesn’t matter what operating system or browser you use – let’s look at some of the ways that your grandma will get abused via social networking.  I did some very fast brainstorming via email with some very smart colleagues and friends and we came up with some attack scenarios that are all possible today.  I won’t credit each person but you know who you are, so thank you for your input.

Attack Scenario 1:  Malicious add content
The very core of most social network sites’ “business plan” is to generate revenue via advertising content.  This is achieved via partnership deals with the various online advertisers as well as, in some cases, the ability for general users to purchase ad-space that appear in a targeted fashion.  Leveraging this model has actually been done before with much success.  I am sure that there are multiple ways that this can be achieved. The two that pop in to my head immediately are 1) generating an ad that will entice users to click, and therefore be served malicious content or depending on how much html and java -fu you are allowed to use in an ad, or 2) have the ad itself contain malicious content.  This type of attack is actually very simple and in my opinion would probably have a high rate of success.  Remember, your anti-virus and other host-based security products are only protecting you from the threats they know about – meaning anything you throw together will have success until the security vendors collect their samples and write their signatures for it.

Attack Scenario 2:  Spyware infested applications
I won’t get in to the debate over what is and what is not considered spyware. Social networking sites like Facebook have shown us that even if you are a shady scam artist, users are willing to install your application so they can grow virtual crops, manage fish farms, or pretend to be a mobster.  Why not take this to the very next level and place spyware or other potentially harmful and malicious content in to your games?  A smart attacker could easily come up with an application that the masses want only to then leverage that popularity to do evil.

Attack Scenario 3:  Targeted attacks
This is probably the more interesting attack scenario, mostly because an attacker can leverage this to compromise those of us who feel that we are too careful to become victims.  Social networks have been great for people to reconnect with old friends and maintain those connections. The very nature of a social network is the fact that your connections, and even some conversations are public, a savvy attacker could easily leverage this information to attack those who feel they are safe.  For example, if someone wanted to compromise my systems, I would hope that they would not have a lot of success by attacking me directly.

That said, they could target someone close to me who may not be as diligent with their online security.  Once that target is compromised, a targeted attack via their social network would have a higher chance of success – because who would suspect someone close to them as an attack source?  An alternative scenario could also be to compromise someone in the target’s social network who is known to occasionally roam on to the target’s private network.  A back door installed via a social network attack could work wonders as a launching point for an attack once that system is connected to the right network.  The example used here is based on a targeted personal attack – but would this not also work very well to gain access to an internal corporate network as well?  We all love to share who we work for via our social networks.

Scenario 4:  Virtual gets real world
It seems that between various status updates, services like Gowalla or Foursquare, and the ability to instantly upload a photo to the web complete with geo-tagging information, that we are able to know where everyone in our social network is, physically, at all times.  In many cases a lot of this information is public and viewable by anyone.  How long until petty thieves begin to leverage this information to determine what homes are empty and easy targets for robbery?

The previous scenarios are only the tip of the iceberg when it comes to ways that an attacker can leverage the social networks themselves to conduct attacks. None of these scenarios are really new, each of them have already been used in a successful attack.  Of course, I have not gone in to how one can protect themselves from these sorts of things.  The frightening reality is that today’s security mechanisms are not sufficient enough to protect us against today’s attack vectors.  The software industry has done a great job dealing with the messes of the past, but they have not adjusted or moved fast enough to address what is currently going on and what will happen in the future. No, this is not me saying that we should not run any host-based protection products as they are better than nothing.

The reality today is that we as end users of various social networking services are really at the mercy of the service providers.  With the shift in cloud computing and the ability for everyone to share everything online instantly we are placing a ton of trust in the hands of a few providers to protect us.  The Facebooks, Twitters, and Foursquares of the world owe it to their end users to be more diligent and perhaps provide a little more scrutiny to the services they offer.

Hopefully startups like Immunet continue to pop up and introduce interesting and hopefully more effective ways to protect end users from attackers and, sadly enough, from themselves.

Operating System Choice Does Not Equal Security

Posted in security with tags , , , , , , , , , , on June 2, 2010 by hellnbak

Yesterday while some of us in the USA were enjoying a day off Google made the news with this article in the Financial Times stating that they are moving away from Microsoft Windows due to security concerns.  My first reaction was to question why a company with as many smart brains as Google would make such a misguided decision.  That was, of course, before I actually read the entire article. 

To steal from the FT.com article:

“We’re not doing any more Windows. It is a security effort,” said one Google employee.

“Many people have been moved away from [Windows] PCs, mostly towards Mac OS, following the China hacking attacks,” said another.

I cannot comment directly on the China hacking incident because I was involved in various meetings with unnamed companies and unnamed forensics experts on the so-called “China hacking incident” but I can comment on the stupidity of this clearly knee jerk reaction.  Your operating system choice does not equal security.  I cannot put that any more simply than that.  If your company employs experts in Linux then it makes sense to standardize on Linux.  If your company employs expertise in Windows — rolling out Linux, OSX, or any other operating system is asking for problems.

Obviously in Google’s specific case one could argue that they have more expertise in Linux.  So the switch from Windows isn’t a security concern its common sense and makes me wonder why they would have had Windows boxes in the first place.  This quote from an unnamed employee says it best;

Employees said it was also an effort to run the company on Google’s own products, including its forthcoming Chrome OS, which will compete with Windows. “A lot of it is an effort to run things on Google product,” the employee said. “They want to run things on Chrome.”

I could care less what OS Google or any company standardised on.  The reason I felt the need to comment on this was not because I think Google is making a mistake but because the press is taking some comments from “anonymous employees” out of context and turning this in to something it’s not and helping perpetuate a huge Information Security Myth.

The myth I speak of: “Switching to Mac OSX or Linux will make you more secure”.

Corporations get hacked, in fact they get hacked much more than we read in the press.  Sometimes those hacks come via a “zero day” type attack and others via a known issue that the corporation failed to patch for.  This is the reality of running a business in the Internet age.

Let me paraphrase what was said by myself and other “experts” back in February 2010 (http://news.cnet.com/8301-27080_3-10444561-245.html)

Every operating system has its advantages and disadvantages in security but no one is a silver bullet, more secure, option.  Some represent a higher risk than others but in reality you are only as secure as your ability to administer the chosen operating system.  This means that if your organization has IT expertise in Linux then you are probably more secure running Linux than you are an operating system that they do not have the same level of expertise in.  The same goes for companies that have Windows expertise, while I am sure that a good Windows Administrator can find his way around alternative operating systems, I would not want that Administrator to be responsible for securing an operating system that he is not proficient in. 

So while one could argue that in general Windows has been the more riskier operating system to run I would actually counter that argument by saying that while correct in the past it is this level of exposure and risk that has caused great improvements in Windows security.  Not to mention the fact that if you are Google you have a very large target painted on you and no matter what operating system you decide to run you are and probably always will be a target of attackers.  Shift your operating system and attackers will shift their attack methods. 

Based on available public information on the Aurora attack the compromise may have come via an unpatched Internet Explorer vulnerability and was a targeted attack.  The second part of that sentence is actually the more important one here.  TARGETED ATTACK.  This means that when, and not if, Aurora the sequel happens it will come via an unpatched vulnerability in whatever operating system happens to be in use at the target company.

It is really too bad that the press in this particular case did not reach out to real security experts and get actual facts around what your operating system choice means to your security.  In fact the Financial Times article is nothing more than FUD generated by “anonymous” quotes from “anonymous sources”.

The unfortunate part about FUD like this is that all week various executives at other companies will read this article and determine that because the great minds at Google have done this to be “more secure” that they should follow suit.  They will bring in some clueless IT Security Consultant (aka CISSP) who will back up this opinion for the sake of billable time and the poor IT guys will have to do their bidding and will ultimately make their company less secure than it was in the first place.

Rinse, wash, repeat.. the cycle of Information Security Myths trumping actual progress continues…………..

Now for Something Completely Different

Posted in Hockey, Personal Shit with tags , , , , on May 6, 2010 by hellnbak

Apologies to those who follow this blog just for my security geek content.  But this time I am posting something completely different. 

For the three years I have lived in the bay area I have been partially a San Jose Sharks hockey fan as well as a Calgary Flames fan.  I have taken all kinds of shit from friends as well as random hecklers at the Tank.  So, I made a bet with my wife to be, some of my slimeball friends and patrons of the popular dive bar – Cinebar.

The bet was simple.  If the San Jose Sharks go further than the Calgary Flames in the playoffs (09/10 Season) then I would allow my Flames jersey to be defaced and/or destroyed.  I lost this bet as the Sharks are 1 win away from knocking Detroit out of the second playoff round while the Flames are already on the golf course.  So, instead of defacing my jersey I decided to give it a more fitting funeral.

Backpeddled But Still Very Wrong

Posted in security with tags , , , , , , , on May 4, 2010 by hellnbak

I guess all of the attention that the mindless blog post by eEye created has caused them to backpeddle quite a bit.  Sadly Morey is still way off the mark and if anything just made it more clear that he is attempting to use this as a reason you should buy their product and not use the free and better tools out there.  I did a quick check of Google Cache and was not able to find the original post but here is the text of the post from yesterday;

Penetration Tools Can Be Weapons in the Wrong Hands
Author: Morey Haber Date: May 3rd, 2010 Categories: Network Security,
Vulnerability Management

After a lifetime in the vulnerability assessment field, I’ve come to look
at penetration testing almost as a kind of crime, or at least a misdemeanor.

We enjoy freedom of speech, even if it breaks the law or license
agreements. Websites cover techniques for jailbreaking iPhones even though
it clearly violates the EULA for Apples devices. Penetration tools clearly
allow the breaking and entering of systems to prove that vulnerabilities are
real, but clearly could be used maliciously to break the law.

Making these tools readily available is like encouraging people to play
with fireworks. Too bold of a statement? I think not. Fireworks can make a
spectacular show, but they can also be abused and cause serious damage. In
most states, only people licensed and trained are permitted to set off
fireworks.

Now consider a pen test tool. In its open form, on the Internet, everyone
and anyone can use it to test their systems, but in the wrong hands, for
free, it can be used to break into systems and cause disruption, steal
information, or cause even more permanent types of harm.

How many people remember the 80’s TV show Max Headroom? Next to murder, the
most severe crime was if users illegally used information technology systems
to steal information or make money. There was tons of security around these
systems and even possession of tools to penetrate a system was a crime too.
So what’s the difference?

Yes, it is just a TV show but in reality today we are in effect putting
weapons in people’s hands, not tracking them, and allowing them to use them
near anonymously to perform crimes or learn how to perform more
sophisticated attacks. It all comes back to the first amendment and Freedom
of Speech. I can write a blog of this nature, state my opinion about how I
feel about free penetration testing tools, and assure everyone that they
need defenses to protect their systems, since free weapons are available
that can break into your systems – easily.

And now today, it has been replaced with (http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands);

The post I had here earlier was worded in a way that was misleading, and I want to rewrite it now so that I’m perfectly clear.

Thousands of legitimate individuals and businesses (including eEye) perform penetration testing, which is useful, required by regulatory compliance, and a very important tool in the security industry. Referring to it as anything besides a tool is a poor choice of language, and I want to correct it. My main issue is with running penetration testing tools against assets that the user either does not own or is not responsible for. And, the easy availability of such tools, often free of charge, opens the door for this potential abuse. On the contrary, it also makes it easier for businesses to test themselves whether a vulnerability can be exploited. This is a difficult balance.

With many years in this business, I’m well acquainted with what can go wrong, and what I hoped to convey was the importance of well-managed testing under the watch of a user who knows what they’re doing. When these tools aren’t used as they are intended to be, with care and professionalism, damage can be done. Having them free, and readily available for everyone increases the risk of the wrong person, using the right tools, in the wrong way.

So now all Morey was trying to say is that running a free tool against an asset you do not own or have permission to “attack” is a bad thing.  He stops short in saying how we proposes we solve this problem but I am sure that is on purpose in order to prevent falling down the rabbit-hole of this discussion and yet again making completely stupid and undefendable statements.  Besides, isn’t this just like saying that doing is bad?

However, once again, Morey completely missed the point.  Taking a tool and charging money for it will not deter an attacker.  Attackers, the real ones not the kiddies that get caught, already have their own toolsets and shared knowledge base.  If they absolutely require a commercial tool to do their job, which is a laughable scenario, there are enough places to get them for free.  I mean one can simply download a free trial of Retina, eEye’s vulnerability assessment tool, and then easily crack it.  A quick search of popular torrent and other warez resources easily proves that all the commercial tools are just as easily available as the “free” ones.

But a real attacker, the ones companies like eEye cannot protect you from, will not use or need these tools regardless of their cost.  Once again, Morey makes former eEye Researchers sad by demonstrating his complete understanding of the very basic concepts of the Information Security and demonstrating just how far eEye has fallen.

Time to go pour a 40 out for our fallen homies….

UPDATE:  With Blackhat coming up and in good fun and as a joke (please read that 10 times as I still have a ton of respect for a lot of my former co-workers at eEye) I had to do this;

Remember this from I think 2005?

This year it should be this T-Shirt:

How The Mighty Have Fallen

Posted in security with tags , , , , , on May 3, 2010 by hellnbak

Full Disclosure:  I am a former eEye employee and managed their now pretty much dead Research Department.  Something of which, after reading this post, I can honestly say I am embarrassed to admit.  This is a classic case of the insane taking over the asylum.

This morning a friend of mine pointed out this blog post –>  http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands

I actually had to double-check that this was a legitimate BLOG from eEye and sadly it appears that this is in fact a real post from someone who has been at eEye for a very long time or as we used to put it — “during the glory days”.  I am almost at a loss as to where to start ripping on this shortsighted and outright stupid post.

I guess the best place to start is with their BLOG title;  “Security Focus – Insights from the Frontlines”.  One would expect that a company with the knowledge and background of eEye Digital Security would know that the “Security Focus” name has been in use by a company now owned by Symantec for a very long time.  Did all original thought leave that company during the mass exit of their research team? 

OK, I agree making fun of their lack of originality of a BLOG title is probably being a little over critical so lets look at the content of the post itself.  Right from sentence one eEye comes off as being completely clueless;

“After a lifetime in the vulnerability assessment field, I’ve come to look at penetration testing almost as a kind of crime, or at least a misdemeanor.”

A crime?  Not this argument again.  Was Morey asleep for the 80s and early 90s?  Penetration Testing by definition is not a crime.  In fact, it is something that is done with permission (usually written permission) of the targets in question.  Perhaps what Morey is attempting to say is that “cracking” (for lack of a better word) or (sorry have to use it) hacking without permission is a crime.  Penetration Testing is not.  Did eEye consider this a crime when they sold Retina?  What about when they released detailed advisories that assisted in the creation of exploit code?  Why didn’t Morey, who was around for these things, not share his objection to this apparent crime?

“We enjoy freedom of speech, even if it breaks the law or license agreements. Websites cover techniques for jailbreaking iPhones even though it clearly violates the EULA for Apples devices”

Apparently Morey is not a lawyer.  Actually neither am I but most of us have the common sense to know that freedom of speech does not take precedence over a license agreement or EULA.  Freedom of speech is a great right we all enjoy but it does not protect any of us when we choose to violate other laws or agreements.  Hearing eEye rally in support of a EULA is amusing to me especially for those that remember the IDA Pro incident (google it).

“Penetration tools clearly allow the breaking and entering of systems to prove that vulnerabilities are real, but clearly could be used maliciously to break the law.”

Point being?  Is this really his argument?  I thought the mass damaging of brain cells via alcohol abuse left eEye a few years ago.  Apparently not.  I could use a rolled up newspaper to break the law.  For example, I could take this paper, roll it up and beat some sense into the author of this post — which would be some form of assault.  Does that mean we should all rally against newspapers because clearly in the wrong hands they can be used for evil?  Of course not!

“Making these tools readily available is like encouraging people to play with fireworks.”

It is the playing of these so-called “fireworks” that has improved the state of security today.  Without it, we would still be stuck in the 80s and guys like Morey would be selling used cars and not security software.  I won’t bother continually quoting and ripping apart each clueless sentence that came out of Morey’s keyboard.  But he does go on to be a little more obvious in his intentions by saying that it is the FREE tools that are the problem.  I guess now that Code Red, Nimda, and Slammer are a thing of the past eEye needs a new way to sell their product. 

This is the equivalent of blaming a firearm manufacturer for murder.  Guns don’t kill people.  People kill people and sometimes do so with a gun.  Licensing and tracking those who have Penetration Testing tools will not improve or change anything.  Do you think someone who willingly breaks the laws will care one bit about legitimately licensing a tool?  Do you think that everyone who commits a computer crime uses a free tool like Metasploit?  Obviously not.

If I was an eEye customer, and thank god I am not, I would be very concerned that someone who holds the title of “Director, Product Management” clearly has no clue about the security industry, what a real penetration test is, and what the value of tools like Metasploit offer.  It would be interesting to know how many modules in Metasploit were written as a direct result of information released by eEye Research.  I bet its more than one or two.  Perhaps eEye should be concentrating on improving their own products so they can actually compete with the free alternatives vs demonstrating a complete lack of coherent thought on their blog.

Would that make Morey not only clueless but also a complete hypocrite?

Apparently Time Has Reversed – Not The Disclosure Debate Again?!?

Posted in security with tags , , , , , , , , , , , , , , on April 23, 2010 by hellnbak

Remember  back in 2001 when researchers were compared to Terrorists and the term “Information Anarchy” was coined?  You can read this blast from the past here –>  http://www.windowsitpro.com/article/windows-client/information-anarchy-the-blame-game-.aspx

As the saying goes, those who do not learn from history are doomed to repeat it, or something like that we have this clueless blog post over on the Verizon Business Blog –>  http://securityblog.verizonbusiness.com/2010/04/22/redefining-security-researcher/

The gem of this post is:

“Narcissistic Vulnerability Pimp: One who – solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure.”

Sigh.  Really?  One would think that a business with the word “Intelligence” in it would actually show some.  Meanwhile we all know that the “intelligence” is nothing more than a bunch of drones monitoring IPS logs and being yelled at when the technology they have pimped out does not actually detect a real world threat.  So instead of actually attempting to improve things it is much easier to point fingers, call names and attempt to blame researchers.

Researchers *DESERVE* credit for their finds because while they are causing short-term pain (short-term pain Verizon Business is able to invoice clients for) they are affecting long-term changes.  History has proven, when a vendor gets tired of being hammered by security issues that vendor starts taking security seriously and begins to improve.  Let us not forget that the majority of researchers do this FOR FREE, so giving them some resume fodder and recognition should not be such a big deal.

Verizon Business’ entire business model falls apart if it was not for these so-called “Narcissistic Vulnerability Pimps” giving your drones something to submit billable hours for.  Or how about the fact that Verizon Business themselves have and may very will still employ the exact people they are attempting to point fingers at.  I know for a fact that at one time (maybe still) a couple very high-profile “Pimps” were receiving paychecks from Verizon.

I am totally stealing this comment from Charlie Miller’s twitter (http://twitter.com/0xcharlie) but based on this blog post — Verizon Business are the whores that the vulnerability Pimps peddle to.  Given the choice of being a pimp or a whore I would pick pimp any day of the week, the wage is better, the benefits are better and who doesn’t like smacking a ho once in a while?

Lets back up a second and try to determine exactly what Verizon is complaining about.  I suppose they are trying to point out the difference between a researcher that follows responsible disclosure vs one that does not.  So why the silly name calling?  Why not just simply put it that way.  There are those that believe in responsible disclosure and there are those that do not.  Kind of simple isn’t it?  Oh wait, that does not make for a good blog post to generate some attention and traffic — much like this one.

While I am ranting about what is probably the most ass backwards blog post this year I might as well share my opinion on the whole disclosure thing and yes I do truly believe that this is beating a dead horse as there will never be an opinion that is completely correct.

There was a time, especially around the 2001 timeframe, when I believed that reporting a bug to a vendor, then giving said vendor a set amount of time (30 days in my case) to fix a vulnerability was the right thing to do.  After 30 days expires, release full details on the vulnerability and move on. 

Over the years, and as I began to work for various software and hardware vendors, my thoughts on this slighty changed putting me more in the responsible disclosure camp.  To me this means, you find a vulnerability, you report it to the vendor and you wait for the vendor to patch before releasing your independent advisory.  The severity, based on ease of exploitation and impact of exploitation, of the issue dictates how much information to release on the issue as the whole point is to actually help increase security.  The only caveat I have to this is that I also believe that if a vendor is refusing to patch an issue, not taking the issue seriously, or someone else finds the issue and uses it publically then all bets are off and it is better to simply drop all details so that those in the protection business have a level playing field. 

In fact, the only reason I am against the whole “No More Free Bugs” movement is because if you privatize and monetize the reporting of vulnerabilities, you remove the ability to hold a vendor truly accountable by having the ability to simply “drop zero day” on them to force a fix.  Once you enter in to contracts and start accepting money for vulnerabilities — you lose your ability to force change.  That said, a pimp needs to get paid.  ;-)

Anyways, this whole argument is stupid.  Full Disclosure works and in my opinion responsible disclosure is a safe compromise as long as the vendor is playing along.  Verizon Business is truly biting the hand that feeds them.

Murder – Just Like In The Video Games

Posted in Uncategorized with tags , , , , , , , , , on April 8, 2010 by hellnbak

By now I am sure most of you have seen the “Collateral Murder” video that was released via Wikileaks.  I do not want to get involved with the arm chair debates over what should or should not have happened.  I have no real military experience to speak of unless being chased off a Canadian base by MPs counts.  I also have a ton of respect for the soldiers who put their lives on the line so assholes like me can say what is on my mind.

That said, a friend of mine who I won’t name pointed out how close the real life footage from the Apache gun camera footage is to the Call of Duty 4 AC-130 Mission.  I found this comparisson amusing.  I mean they even got the bounce of the corpse right in the video game.  Well done…..

Collateral Murder Video (must login to Youtube) –>  http://www.youtube.com/watch?v=5rXPrfnU3G0

Call of Duty 4 AC-130 Mission –>  http://www.youtube.com/watch?v=xAscuD4loh8

Follow

Get every new post delivered to your Inbox.