Archive for fud

Operating System Choice Does Not Equal Security

Posted in security with tags , , , , , , , , , , on June 2, 2010 by hellnbak

Yesterday while some of us in the USA were enjoying a day off Google made the news with this article in the Financial Times stating that they are moving away from Microsoft Windows due to security concerns.  My first reaction was to question why a company with as many smart brains as Google would make such a misguided decision.  That was, of course, before I actually read the entire article. 

To steal from the FT.com article:

“We’re not doing any more Windows. It is a security effort,” said one Google employee.

“Many people have been moved away from [Windows] PCs, mostly towards Mac OS, following the China hacking attacks,” said another.

I cannot comment directly on the China hacking incident because I was involved in various meetings with unnamed companies and unnamed forensics experts on the so-called “China hacking incident” but I can comment on the stupidity of this clearly knee jerk reaction.  Your operating system choice does not equal security.  I cannot put that any more simply than that.  If your company employs experts in Linux then it makes sense to standardize on Linux.  If your company employs expertise in Windows — rolling out Linux, OSX, or any other operating system is asking for problems.

Obviously in Google’s specific case one could argue that they have more expertise in Linux.  So the switch from Windows isn’t a security concern its common sense and makes me wonder why they would have had Windows boxes in the first place.  This quote from an unnamed employee says it best;

Employees said it was also an effort to run the company on Google’s own products, including its forthcoming Chrome OS, which will compete with Windows. “A lot of it is an effort to run things on Google product,” the employee said. “They want to run things on Chrome.”

I could care less what OS Google or any company standardised on.  The reason I felt the need to comment on this was not because I think Google is making a mistake but because the press is taking some comments from “anonymous employees” out of context and turning this in to something it’s not and helping perpetuate a huge Information Security Myth.

The myth I speak of: “Switching to Mac OSX or Linux will make you more secure”.

Corporations get hacked, in fact they get hacked much more than we read in the press.  Sometimes those hacks come via a “zero day” type attack and others via a known issue that the corporation failed to patch for.  This is the reality of running a business in the Internet age.

Let me paraphrase what was said by myself and other “experts” back in February 2010 (http://news.cnet.com/8301-27080_3-10444561-245.html)

Every operating system has its advantages and disadvantages in security but no one is a silver bullet, more secure, option.  Some represent a higher risk than others but in reality you are only as secure as your ability to administer the chosen operating system.  This means that if your organization has IT expertise in Linux then you are probably more secure running Linux than you are an operating system that they do not have the same level of expertise in.  The same goes for companies that have Windows expertise, while I am sure that a good Windows Administrator can find his way around alternative operating systems, I would not want that Administrator to be responsible for securing an operating system that he is not proficient in. 

So while one could argue that in general Windows has been the more riskier operating system to run I would actually counter that argument by saying that while correct in the past it is this level of exposure and risk that has caused great improvements in Windows security.  Not to mention the fact that if you are Google you have a very large target painted on you and no matter what operating system you decide to run you are and probably always will be a target of attackers.  Shift your operating system and attackers will shift their attack methods. 

Based on available public information on the Aurora attack the compromise may have come via an unpatched Internet Explorer vulnerability and was a targeted attack.  The second part of that sentence is actually the more important one here.  TARGETED ATTACK.  This means that when, and not if, Aurora the sequel happens it will come via an unpatched vulnerability in whatever operating system happens to be in use at the target company.

It is really too bad that the press in this particular case did not reach out to real security experts and get actual facts around what your operating system choice means to your security.  In fact the Financial Times article is nothing more than FUD generated by “anonymous” quotes from “anonymous sources”.

The unfortunate part about FUD like this is that all week various executives at other companies will read this article and determine that because the great minds at Google have done this to be “more secure” that they should follow suit.  They will bring in some clueless IT Security Consultant (aka CISSP) who will back up this opinion for the sake of billable time and the poor IT guys will have to do their bidding and will ultimately make their company less secure than it was in the first place.

Rinse, wash, repeat.. the cycle of Information Security Myths trumping actual progress continues…………..

Advertisements

How The Mighty Have Fallen

Posted in security with tags , , , , , on May 3, 2010 by hellnbak

Full Disclosure:  I am a former eEye employee and managed their now pretty much dead Research Department.  Something of which, after reading this post, I can honestly say I am embarrassed to admit.  This is a classic case of the insane taking over the asylum.

This morning a friend of mine pointed out this blog post –>  http://blog.eeye.com/vulnerability-management/penetration-tools-can-be-weapons-in-the-wrong-hands

I actually had to double-check that this was a legitimate BLOG from eEye and sadly it appears that this is in fact a real post from someone who has been at eEye for a very long time or as we used to put it — “during the glory days”.  I am almost at a loss as to where to start ripping on this shortsighted and outright stupid post.

I guess the best place to start is with their BLOG title;  “Security Focus – Insights from the Frontlines”.  One would expect that a company with the knowledge and background of eEye Digital Security would know that the “Security Focus” name has been in use by a company now owned by Symantec for a very long time.  Did all original thought leave that company during the mass exit of their research team? 

OK, I agree making fun of their lack of originality of a BLOG title is probably being a little over critical so lets look at the content of the post itself.  Right from sentence one eEye comes off as being completely clueless;

“After a lifetime in the vulnerability assessment field, I’ve come to look at penetration testing almost as a kind of crime, or at least a misdemeanor.”

A crime?  Not this argument again.  Was Morey asleep for the 80s and early 90s?  Penetration Testing by definition is not a crime.  In fact, it is something that is done with permission (usually written permission) of the targets in question.  Perhaps what Morey is attempting to say is that “cracking” (for lack of a better word) or (sorry have to use it) hacking without permission is a crime.  Penetration Testing is not.  Did eEye consider this a crime when they sold Retina?  What about when they released detailed advisories that assisted in the creation of exploit code?  Why didn’t Morey, who was around for these things, not share his objection to this apparent crime?

“We enjoy freedom of speech, even if it breaks the law or license agreements. Websites cover techniques for jailbreaking iPhones even though it clearly violates the EULA for Apples devices”

Apparently Morey is not a lawyer.  Actually neither am I but most of us have the common sense to know that freedom of speech does not take precedence over a license agreement or EULA.  Freedom of speech is a great right we all enjoy but it does not protect any of us when we choose to violate other laws or agreements.  Hearing eEye rally in support of a EULA is amusing to me especially for those that remember the IDA Pro incident (google it).

“Penetration tools clearly allow the breaking and entering of systems to prove that vulnerabilities are real, but clearly could be used maliciously to break the law.”

Point being?  Is this really his argument?  I thought the mass damaging of brain cells via alcohol abuse left eEye a few years ago.  Apparently not.  I could use a rolled up newspaper to break the law.  For example, I could take this paper, roll it up and beat some sense into the author of this post — which would be some form of assault.  Does that mean we should all rally against newspapers because clearly in the wrong hands they can be used for evil?  Of course not!

“Making these tools readily available is like encouraging people to play with fireworks.”

It is the playing of these so-called “fireworks” that has improved the state of security today.  Without it, we would still be stuck in the 80s and guys like Morey would be selling used cars and not security software.  I won’t bother continually quoting and ripping apart each clueless sentence that came out of Morey’s keyboard.  But he does go on to be a little more obvious in his intentions by saying that it is the FREE tools that are the problem.  I guess now that Code Red, Nimda, and Slammer are a thing of the past eEye needs a new way to sell their product. 

This is the equivalent of blaming a firearm manufacturer for murder.  Guns don’t kill people.  People kill people and sometimes do so with a gun.  Licensing and tracking those who have Penetration Testing tools will not improve or change anything.  Do you think someone who willingly breaks the laws will care one bit about legitimately licensing a tool?  Do you think that everyone who commits a computer crime uses a free tool like Metasploit?  Obviously not.

If I was an eEye customer, and thank god I am not, I would be very concerned that someone who holds the title of “Director, Product Management” clearly has no clue about the security industry, what a real penetration test is, and what the value of tools like Metasploit offer.  It would be interesting to know how many modules in Metasploit were written as a direct result of information released by eEye Research.  I bet its more than one or two.  Perhaps eEye should be concentrating on improving their own products so they can actually compete with the free alternatives vs demonstrating a complete lack of coherent thought on their blog.

Would that make Morey not only clueless but also a complete hypocrite?

XBox Live DDoS Attack only $19.95

Posted in security with tags , , , on February 23, 2009 by hellnbak

Here is a horribly written article complete with FUD terms like “underground packet sniffing software” that was written based off of an equally bad article.  I wonder, does this make a horrible BLOG post?  😉

Anyways, the whole premise of the above is that “hackers” are performing a DDoS attack service for sore loser gamers on the XBox Live network.  While the articles and the quotes in the articles make is sound like some amazing accomplishment it really is not.  To do this requires almost zero skill, of course you need access to your very own botnet but these days those are not hard to come by and “borrow”.

Basically, one must simply sniff their XBox Live connection and, depending on the game (I believe and correct me if I am wrong that some games like EA games do not do direct connections but go through the EA servers), gather all of the IP addresses connecting to your network.

Now you have a choice, you can attempt to social engineer your way to the exact user you wish to DDoS or simply attack the entire group.  I mean it would be pretty simply to identify the geographical location of the IP address then simply say “Hey where is everyone from” and then make some guesses from there.

The whole thing is pretty lame as far as gamers go.  I mean what happened to losing the old fashioned way?  Yelling “your mom” jokes at the person who just beat you?

One of the articles mentioned something about sending the DDoS attack at the “Xbox Live port” (I can’t be bothered to double check which one) when in reality you need to simply just take out the person’s connection and not target any specific application which as we all know is simple enough to do.

Anyways, back to playing Afro Samurai on my 360.

ZOMG! World’s Greatest h4x0r!!!

Posted in security with tags , , , , , on February 14, 2009 by hellnbak

Today Fox News an “article” about how the “worlds greatest hacker” would compromise President Obama’s Blackberry.  If you want to waste some time you can read the full article here:

http://www.foxnews.com/story/0,2933,492705,00.html

Lets take a look at some of the FUD in this article.  First the headline itself, “Worlds Greatest Hacker”.  Where to start withthat one.  Was there some sort of competition recently where every hacker in the world got together to prove their skills?  Did we have the Hacker Oscar Awards and hand out trophies?  Regardless of who’s name is associated with this title, it is in fact extremely silly but as you will see required to build the level of fear uncertainty and doubt which is no doubt required in order to read this article.

Despite warnings from his advisers, the president insisted on keeping his beloved PDA, which now has specially designed superencrypting security software.

Superencrypting security software?  Thats right.. not just encryption but SUPERencryption. Encryption so SUPER it can leap buildings and give homeless people houses in one swoop. 

But even this SUPERencrypting software has it’s Lex Luthor.  But this time it is none other than Kevin Mitnick and according to this article Kevin is full of.. ummm.. Kryptonite.

But that just makes cracking into it more challenging — and, yes, it can be done, says the world’s most famous hacker.

“It’s a long shot, but it’s possible,” Kevin Mitnick told FOXNews.com. “You’d probably need to be pretty sophisticated, but there’s people out there who are.”

Mitnicksaid someone with access to Obama is much more likely to be targeted by hackers because their networks, particularly those used at their homes, would be much less secure than those used by the commander-in-chief.

Once armed with Obama’s coveted e-mail address, a hacker could theoretically send an e-mail to Obama in an attempt to lure him to a Web site that has previously been breached in order to transfer “malicious code,” Mitnick said.

This make sense obviously, I mean it doesn’t take the world’s greatest hacker to understand that a social engineering attack is really the way to go in this case.  Send the device an email from a “trusted” address and hope that they are naive enough to open the attachment or click on the link.  BUT, we are talking about a Blackberry device here meaning your run of the mill malware is not going to work and you had better have some skills and knowledge around the RIM platform.  Considering the target, this is not beyond the realm of possibilities.

Although again considering the target one would assume that some pretty heavy security awarness training has been given.  So far the article isn’t actually that bad but then Fox News decides to ignore technical accuracy with this gem:

Chris Soghoian, a student fellow at Harvard University’s Berkman Center for Internet and Society, agreed that the most likely route to Obama’s BlackBerry would be to trick the president into visiting a pirated Web site.

Pirated web site?  You can pirate web sites now?  I suppose I could make some room on my hard drive between all of the pirated software, movies and music for some pirated web sites.  Pretty sure they meant compromised web site in this case.  Doesn’t that seem like a lot of work?  I mean, first identify a web site your target is likely to visit it then “pirate” it.  There are other, much easier was to do this.

These are attacks when you visit a Web site, and within seconds, it hacks into your computer and forces it to download viruses,” Soghoian said. “In many cases, people get infected by using out-of-date browsers.”

Soghoian said he suspected that the likely culprit wouldn’t be a hacker who targets computers for notoriety or fiscal gain, but rather a foreign government looking for classified information.

OMG.. within seconds you get hacked just by visiting a web site!!  Obviously we have all seen examples of this sort of attack but to me the wording sounds like nothing more than fear mongering.  But note they said “outdated browsers”.  Last time I checked (just now) the options for a web browser is very limited on a Blackberry.  Mine runs both the built in RIM supplied browser as well as Opera Mini.  So, sure there is an attack surface there but that is assuming they allow Mr. President to surf the web from his device which to be honest sounds pretty far fetched.  In fact, I would bet that the device Obama uses is very limited in what functions it performs and is in fact locked down to the point that the web browser is removed as well as other basic functions like installing software.  But that is just a common sense guess.

But wait, all of this focus on Blackberry devices by the media and we do not even know for sure if that is what the device in question is.

“Nobody has really said with certainty what device he is actually using,” said Randy Sabett, a partner at Sonnenschein Nath & Rosenthal LLP and a former NSA employee. “That right there is an important subtlety. The less information known, the better.”

So here we have an article based completely on an assumption of what device the President may be using.  While I suppose it is a good assumption based on various photos it is still an assumption and while we all know that security through obscurity does not work and something tells me that it is only a matter of time before we all know for sure what the device actually is.

So does a BLOG post about an article that is about nothing actually exist?

Seeing how the big bad well funded Fox News cannot get things right, I reached out to Kevin and got his permission to publish the following from an email:

I did not pick the title so don’t blame me!

Second, I told this reporter numerous times that I don’t believe Obama uses his Blackberry device for anyclassified communications– that should be a no brainer, right?

I did, however, share some attack scenarios that are feasible. One example below I used to surveill the FBI when playing the fugitive game– which would likely work today.

Objective: Identify Obama’s current cellular phone number (SIMPLE)

1.  Compromise his past provider (he’s likely to be using the same one).
2.  Obtain past (3 months) billing records (call detail records)
3.  Compromise (current) provider and perform terminating number searches for any mobile device that has dialed or received calls from the same numbers on Obama’s past billing records.
4.  Maintain a list of suspect devices (mobile handsets) for further analysis
5.  Analyze each suspect device’s call detail records looking for a similar pattern of call traffic (incoming /outgoing)
6.  Narrow the list of devices down to similar call patterns
7.  Pull the subscriber data (billing name, address, contact #, device info (IMEI, SIM info) or (ESN if CDMA provider)
8.  Use mobile operator’s intelligent network to find where the device is registered (in real time)… Is Obama near that location?

Once Obama’s cellular number is identified the attacker can acquire his text messages by compromising the smsc (orable db) at  the provider, determine his location via cell tower registrations, and his capture call traffic ( via real time CDR).
 
Objective: Obtain Obama’s email address. (SIMPLE)

1.  Identify Obama’s close circle of friends and family.
2.  Compromise these target systems (phishing, wifi, etc) and install a trojan
3.  Steal authentication credentials stored on target system or via keylogger (web based email)
4.  Watch email communications.. eventually the attacker may hit pay dirt.

As far as compromising his BB device, I said it would be difficult but not impossible depending on whether he uses BB’s browser. The possible attack scenario I explained to the reporter was:

1.  Identify vulnerability in BB’s browser that allows execution of arbitrary code.
2.  After compromising his provider, identify what sites Obama visits on his BB (this can be logged by an attacker in the providers intelligent network.)
3. Identify the sites visited that are not so popular (minimize the potential victims) and compromise these targets.
4. Plant exploit code to execute payload– whatever that is…
5. Wait… and see what happens.

I brought up some others but the article omitted most of what I discussed… go figure…

Anyway, Happy Friday the 13th…

Kevin

All of what Kevin said above is of course plausible but far be it for Fox News to care if they get anything right vs. just publishing some oversensationalized article.  Besides, as another friend of mine pointed out, isn’t the Blackberry Enterprise Server (BES) a more juicy target with a much larger attack surface?

DLP – Not just your spiffy flatscreen TV anymore..

Posted in security with tags , , , , on May 13, 2008 by hellnbak

DLP no not Digital Light Processing but Data Loss Prevention.  Yes, you read that right.  Not only has our industry, which by the way still has a huge credibility problem, attempting to steal an acronym from the consumer electronics industry but we have created an entire line of products based on ambulance chasing and fear.  Oh wait, ambulance chasing?  Fear?  Credibility problem?  Go figure…..

Ignoring the fact that one of the original purposes of Information Security is to prevent sensitive data loss our industry has created a whole new line of business catered to cashing in on scaring people by invoking the ghosts of <pick your favorite data loss story from http://attrition.org/dataloss >

So now, instead of following security best practices and common sense, vendors want you to buy their new wizbang product that in reality really does nothing more than the garbage you have already wasted your money on.

Sigh….

RE: Richard Clarke’s Source Boston Talk

Posted in security with tags , , , , , , , , on March 12, 2008 by hellnbak

I wasn’t able to attend Source Boston this year so I have been following the blog for the event as well as some random Twitter traffic on it.  I wanted to comment on this blog post but for some reason the blog requires me to register/login to comment but that feature seems to be broken.

 noworky.jpg

At least this gives me an excuse to add to my blog. 🙂

The first thing that struck me was this comment:

“Clarke cited the well-known DDoS attacks on Estoniaand the reported Chinese government hacks of other governments as examples of how what used to be called paranoia has become, in reality, state-sponsored cyber war. “

While I have the utmost respect for Mr. Clarke and I do agree with a lot of what he has to say.  This is pure FUD on his part.  The DDoS attacks on Estonia were not state sponsored and while you can loosely apply the term “cyberwar” to these attacks I wouldn’t say that this is the best example.  You can read a bit more on the Estonia thing over at Wired Threat Level.

The Chinese Government comment is very interesting to me.  This has been something that has been rumored and invoked by security salesmen for quite some time but with no actual proof attached to it. 

While I totally understand that any proof of this would be considered sensitive in nature if Mr. Clarke expects those outside of various .gov circles to believe these claims evidence must be produced.  This reminds me of one of my favorite Boondocks Episode.

http://www.imdb.com/title/tt0530297/quotes

Gin Rummy: I always say the absence of evidence is not the evidence of absence.
Riley: What?
Gin Rummy: Simply because you don’t have evidence that something does exist does not mean you have evidence of something that doesn’t exist.
Riley: What?

Anyways, I am getting side tracked.

The other comment I wanted to make on this topic is in regards to this:

“He went on to say that government regulations be put in place to require ISPs to clean all of their data to solve at least 80 percent of cyber threat issues; and that also require the government itself to report vulnerabilities discovered to hospitals, corporations, universities and financial markets. But quite frankly, this seems like a moot effort. Considering the molasses rate at which the U.S. government moves, what are the chances that even if it is first to discover a vulnerability, that it could get it patched and communicated quickly enough to really protect high profile data? I’m no expert, but my guess is low.”

Looking at the recent Comcast vs. BitTorrentexample consumers will not accept any ISP monitoring / cleaning or otherwise altering content.  Government regulation or not, users do not want their traffic monitored — it really is that simple.

The second part of this is U.S. Government reporting discovered vulnerabilities.  Is this not what CERT is for?  Has CERT not proved to all of us that this is actually a bad idea for various reasons.  I do think that we need a reliable, trusted, and secure third party to help researchers report vulnerabilities (I would love to do this with VulnWatch) but I do not think it needs to or should be a government entity. 

Many have the opinion that vendors are still moving too slow to fix security vulnerabilities (average of 120-150 days in my experience) adding government bureaucracy to the process will only make it worse.

Finally, after all the above complaining and tangents I do want to say that I agree with Mr. Clarke that one day we will see some sort of full scale state sponsored cyber-attack on critical infrastructure.  Sadly, nothing will be done to prevent this until it actually happens and even then there is a good chance that the wrong things will be done in response.  Take a look at the world since 2001 to see some very good real life examples of this.