Security Curve Weblog

Is it just me or is anyone else concerned?

So, if you haven't heard by now we're all vulnerable. Meaning, that Microsoft has a zero day vulnerability out there, it's unpatched, and it's in functionality that's enabled by default. Yeesh... Anyway, Pete Lindstrom has been posting recently about how this particular bug is largely irrelevant. Pete's point is that because the vulnerabilty requires user interaction, that it's not an issue. No disrespect to Pete intended, but I'm not entirely in agreement on this one. Here's the crux of the argument - you have to go to a malicious web site to be impacted by this bug. Because of the need to follow a link to retreive the content ("user interaction" as mentioned in Pete's entry), only the people who don't read security alerts are likely to be hit. Allow me to interject the caveat that I haven't researched this vulnerabilty myself, but I'm going on what information I can find in the press (can be somewhat unreliable at times).

Needless to say, I disagree. Pete's underlying point is a sound one - namely, that not every security vulnerability is the end of the world. However, I don't think "clicking a link" is much of a barrier to prevent a user from becoming compromised - especially when so many programs will automagically retrieve html content and render it behind the scenes. Mail someone an HTML mail with a server-hosted image in it and you'll see what I mean.

Pete's guidance, "get a HIPS" and "don't click on it" do a disservice to the user in my opinion. In this day and age, I think our response to malware and vulnerabilities has to be better than "don't click on it"... as we should have learned from the eighties, "just say no" doesn't work. As to putting your faith in a HIPS - I just put a bunch of them through the lab for accuracy testing and let's just say I'm worried if that's the last line of defense.

Some mixed reactions about FFIEC authentication guidance

Last month, if you remember, the FFIEC put out their 2005 authentication guidance. We harshed on it here, saying that we didn't think that there was much of a difference between the 2001 guidance and the 2005 guidance. We've received some mixed feedback to that commentary from folks in FS (folks that I've worked with in previous lives)... As of now, I've spoken to two individuals (one client and one ex-coworker) who pointed out that they feel that the guidance is a mandate - or at least a stick that can be used to get the business folks in line... Anyway, thought some out there might find it useful that folks in FS are actually taking notice of this. As to how much traction 2 factor will get in deployment, that remains to be seen, but at least the interest is there.

SNL's Lazy Sunday

In case you missed it on the first pass, here it is again.

Mariott, you're killin' me

Damn, I just signed up for this.

SecurityFocus a Breeding Ground of Facism?

I came across the Security Focus report "The NSA hears your concerns" today. The article was nothing special: just some more noise about how the NSA was engaged to conduct wiretap activities against American citizens without a court order - anybody who follows the security news knows that this isn't a new story. However, what I did think was noteworthy were the comments to the article. For example:

As long your not engaging in criminal activity what's there to worry about anyway? [c0re]
Agreed, this is no where near the first time the Gov't has taken initiative to help protect us. Quit blaming Bush. [anonymous]

Presidents have always had the power to collect intelligence on communications with foreign powers w/o a warrant, especially in wartime. If they WEREN'T doing this, then I'd be worried [Anonymous]

And so on. For all that we might think that the security industry is populated by individuals who respect personal liberty, think again. This is a site by security practitioners for security practioners. Just throwing it out there.

Google gets slapped by public opinion

It's a "banner day" for Google. They stopped the unholy union of AOL and Microsoft search capability, but everyone and their brother is coming out of the woodwork to criticize the move. Paul Thurrott says that Google has sold its soul and Thomas Claburn calls the integrity of Google into question in terms of how they represent themselves.

It's certainly true that Google cannot continue to make the statement that they do not alter the order or "rank" of sites for money - because now they do. They also can't make the claim that they clearly distinguish between paid and unpaid links - because now they don't.

Of course, I'd be really interested in hearing what John Battelle has to say about it, but unfortunately I can't right now because somebody has secretly replaced it with Folgers or whatever. On the plus side, the site that is now impersonating battellemedia.com has some really cool Internet maps like the one below.

Oracle Adopts Fortify.

Oracle has apparently decided to go with Fortify for code-scanning. According to Mary Ann Davidson:

"There's lots of Band-Aid products out there that protect against attacks. You wouldn't need so many Band-Aids if you could actually have a vaccine," Davidson says.

Sigh. Vaccine? I'm not clear on the metaphor; is fortify the vaccine? For us or for Oracle? Seems to me like if Oracle is the sick one in this equation. I had fully planned on reaming out Oracle in this humble forum, for "sticking their head up" too early after their public blasting in the summer, but it looks like David Litchfield has done that work already in the security press. My favorite quote from him this round is:

"By far the best approach is to code securely in the first instance," he said. "Source code scanning tools should be the last line of defense, not an excuse for lazy and insecure programming."

Props to Alex

Maybe you've heard that a gaggle of Symantec products were hit by a heap overflow in the past day or two. Just for some background, Alex Wheeler is the researcher responsible for finding this particular flaw, and as they say in New England, he's "wicked smaht".

Now that the props are out of the way, here's the lowdown on the bug: in the RAR processing of a scanned file, there's a heap overflow that can be exploited to run arbitrary code. Since the bug is in the library that's shared by the majority of the Symantec products, almost all of the Norton and SAV products are impacted. Trying to surgically disable the RAR processing functionality in these products is a nightmare. Not good news if you're running a SYMC product...

Journal of Computer Virology Part Deux

Remember that phoolishness with the Journal of Virology last week? For any interested parties, I thought I'd pass along their response. Took them a week to get it to me, but I was kindly informed in a one-liner from their customer service department that an individual subscription is 329.00 dollars a year. Needless to say, I deleted the email with extreme prejudice.

In other news, the folks whose job it is to investigate computer breaches got hax0red and left all the forensics practioners up the creek. I guess there's no shortage of folks for them to draw on to investigate whodunnit.

Last, but not least, male enhancement continues to lead the spamming charts.

Fun with Numbers and the Netcraft Toolbar

So, you know the site ranking value on the Netcraft toolbar? If you don't - basically every page in the world has a rank according to NetCraft and that rank gets shown to you in the toolbar. I thought this was interesting - interesting enough to spend some time thinking about how accurate these numbers are or aren't. I even did some research to find out - and, in the end, I came to the conclusion that they're not very accurate.

Actually, random inaccuracy isn't such a huge deal, but the NetCraft numbers are actually more "skewed" than "inaccurate." In particular, it's the methodology that skews the results. To see what I mean, consider the position of NetCraft in the pecking order (#7) - just a few entries above eBay. Don't get me wrong, NetCraft's statistics and the toolbar are cool and stuff, but more traffic than eBay? That's suscpicious, don't you think? Unless you take into account that all the informational links on the toolbar go to Netcraft and the only population surveyed are those with the toolbar (Ah-Ha!) - in which case, it's actually possible since each click on a toolbar button (prominent on the browser window) counts as one "cha-ching" for the Netcraft site listing.

We can also tell that the Netcraft values are skewed in favor of FireFox usage patters (different from IE usage patterns). This is because a statistically large portion of the population running the Netcraft toolbar on FireFox - how can we tell that? The numbers tell us. Because Google is the top site for Netcraft (#1) and is the default homepage for firefox; Alexa (the spyware people) who use a similar methodology for ranking sites but only run on IE show Google at position 3. In Alexa (again, only IE) - we would expect a high incidence of MSN since it's the default page for most incarnations of IE. It's #2 on Alexa and #19 on Netcraft. What does that mean? Higher ratio of firefox to IE...

Atom Smasher Strikes Again!

He's at it again! Atom Smasher, the man who brought us the BBQ Sign Generator, has now given us the Chinese takeout sign generator. Love it.

Phished by the Journal of Virology!?!?

About a week ago, I came across a reference to the "Journal of Computer Virology" in the Worm Blog. It's a new journal about malware that looked interesting so I thought I'd try to subscribe if the rates were reasonable... and maybe submit some material since there's a CFP open.

Anyway, the short story is that I went to the Springer website and couldn't find information on individual subscriptions - so rather than giving up, I wrote to them asking how to subscribe. I went back and forth for a while with their licensing department and was ultimately sidelined to customer service. A week letter I received this email:

Thank you for your inquiry. If you would like to place a journal order, please provide complete shipping and billing address, if different, complete name of person ordering, telephone number, credit card number, expiration date, name on credit card, name of journal, specify whether for an institution or individual, and for what year.

Um... So, let me get this straight: I send all my personal account information and payment details via email in order to subscribe to an information security technical journal. Isn't that kind of like having a cigarette machine outside a 'smoke-enders' meeting? Bad customer service I can handle: the week-long wait wasn't an issue, the impersonal form letter, the shuffling between various reps over at the company. I'm used to all this stuff. But what really sizzled my bacon was the cavalier attitude about my data. And the fact that it is a form letter means they send this particular message out fairly often; how many other people get this mail and send them the data? How many people are subscribing to non-infosec journals and don't know email is an unacceptable way to harvest payment and address information?

In my opinion, the situation is compounded by the fact that Springer, the publisher, is a German company and ought to be operating under the auspices of the EU Data Privacy Directive. Isn't there something about "adequate protection" when collecting personal data?

So needless to say, I think I'll pass on this for the time being.

Why is this illegal?

If you remember, last week a vulnerabilty for Microsoft Excel was put up for auction on eBay. Sadly, the auction has been stopped for violating eBay's terms of service. Specifically, according to eBay, the listing actively encourages "hacking" and therefore had to be removed.

When I first read this, I was a bit irritated, but I couldn't quite put my finger on why. But then it hit me: it's the underlying assumption that ticks me off. In other words, the underlying assumption by eBay is that somehow the auctioner is doing something morally wrong; actually, they take it a step further and imply that somehow what he's done is criminal in addition to being just immoral. eBay stated publicly that "The listing was immediately reviewed and pulled from the site for violating our policy against promoting illegal activity - hacking." Back that truck up there just a second. Is that really true? Is the seller really promoting hacking?

Take a look at the auction content: the seller specifically says, "Your bid indicates that you agree to the following: You may not use this information for malicious or illegal purposes. The information you receive is for educational and research purposes only... The seller does not encourage any illegal activity." Sounds to me like the seller really hammered it home in actively discouraging hacking.

What specifically about this particular auction makes it "promoting illegal activity"? If the answer is "nothing", then the auction was pulled because eBay believes all vulnerability research promotes hacking. Is a vulnerability researcher, by nature of the work they are doing, promoting illegal activity? Does Halliburton actively encourage war by manufacturing munitions? I happen not to think so, but even if you accept that they do - they're clearly allowed to do it in a free market society. Ask Dick Cheney if weapons sales should be disallowed because they "promote war". Granted, eBay has a policy to prevent the sale of firearms and munitions on their site - that's their right, but they don't somehow imply in the process that trying to sell a gun makes you guilty of "promoting homicide."

Give vulnerability researchers a license to sell their wares if you want, make them taxed more heavily, make them register with the state, or whatever other hoops you want to make them jump through - just stop calling them criminals for trying to make a buck. And while we're at it, how about a moritorium on calling them criminals when they're doing it for free too?

It seems to me that all this centers around the question of who has ownership of the vulnerability, and what use a researcher can put their findings to. I'm a capitalist. I believe that a researcher who discovers a flaw owns it, in its entirety, until they choose to disclose it or to transfer ownership to someone else. If they own it, they should be allowed to sell it - and more power to them if they can get a better price by putting it up for auction.

Thoughts about CyberTerrorism

A recent article citing FBI's skeptical view of cyberterrorism caught my eye this morning. Cyberterrorism is a touchy subject, and it's interesting that the division about the myth/reality status of politically-motivated attacks extends even to divisions of the DHS itself. Overall, it's been a devisive issue: some well-respected security folks like Bruce Schneier have made convincing arguments about how it's bogus, while other well-respected security folks like Dorothy Denning have made convincing arguments about why it's real.

In the context of the overall DHS security posture, it's clear that the FBI is the odd man out. In other words, the rest of the DHS doesn't exactly share the FBI's optimism about terror groups' lack of initiative, training, or savvy - for example, back in the day when he was the "big cahuna" Tom Ridge told us that " Terrorists can sit at one computer connected to one network and can create worldwide havoc -- don't necessarily need bomb or explosives to cripple a sector of the economy, or shutdown a power grid." The former chief "cyberterrorism czar" Richard Clarke told us, "We have to differentiate from an attack that has already happened and the kind of attack that will come... From our perspective, we don't worry about when; we worry about what they can do and start locking doors." He's also said:

Well, the fact that these people are gathering skills in cyber war capability is very troubling, combined with the fact that we know that they're looking on the Web for hacking tools. We know that, because we've seized some of their computers. It suggests to me that Al Qaeda may be trying to grow an indigenous cyber warfare capability. I think it suggests that someday we may see Al Qaeda, if it's still alive and operating, use cyberspace as a vehicle for attacking infrastructure -- not with bombs, but with bytes.

Personally, I don't really have an opinion about cyberterrorism. However, I think the willingness of the FBI to speak in a manner contrary to the rest of the DHS shows "go-get-'em"-itude on their part. Props to them for fighting the tide of FUD and telling it like it is - these probably won't be popular comments over at the DHS.

Double Props to Emergent Chaos Today

That's right, two sets of props today for the Emergent Chaos crew: Propz #1 for telling us about the Excel 0day up for bid on eBay - whoever did this has an axe to grind with the various vulnerability franchises and a vein of sarcasm wide enough to criticize in an attention-grabbing way. Note that I happen to disagree with that criticism, but I still can appreciate the manner of delivery.

Propz #2 for mentioning Gobbles in the same post.

SYMC sees its shadow

It's that time again. With the approach of the new year inevitably comes the storm of new year's prognostications designed to give infosec practitioners a head-start on what's to come in aught-six. It's time to sum up the old and forecast the new; and kicking off that effort is none other than John "Punxsutawney" Thompson himself telling us all what's to come in the new year. OK, that's not exactly true; John Thompson didn't make the forecasts himself - Vincent Weafer over at SYMC was the actual individual tasked with making the predictions (even Punxsutawney Phil has a handler you know.)

So, what does SYMC say we have queued up for 2006? Surprisingly, it's low-volume fraud-based attacks like spyware and phishing. And according to Symantec, "there is apathy and a general lack of interest about it." (It's been a long time since I've been called "apathetic"; high school was the last time, I think.) Of course, someone might point out that this is more or less the same as 2004 analyst predictions for aught-five and 2003 analyst predictions for aught-four, but that would spoil the fun.

No DHS Left Behind?

According to CNET, the DHS takes another one on the head. This time, it's from former members of the 9/11 commission who say, " The federal government is not making enough progress in protecting critical infrastructures... Progress also is lacking in airline security and providing radio spectrum to first responders..." Sweet.

It's in "report card" format, which makes the DHS security posture seem kind of like a submarine: below "C" level. Noteable flunkage is in the areas of airline pre-screening, allocation of funds based on risk, and declassification of the budget. There are "D"s in "Critical Infrastructure Protection", "Internal Collaberation", and "Information Sharing." I think maybe it's time we start applying some of the rules from the "No Child Left Behind" initiative to the DHS - like by turning over control of the underperforming DHS to the Department of Education.

"There are far too many C's, D's and F's in the report card we will issue today. Many obvious steps that the American people assume have been completed have not been. Our leadership is distracted... All key decisions are at least a year away. It is time that we stop talking about setting priorities, and actually set some."

The DHS response has apparently been to step up security by throwing random people on the "terrorist watch list. Nothing says "we're getting it done" like strip searches all around.

Lynn Throws Egg at ISS

Wired put together an article about how ISS is sitting on a number of Cisco vulnerabilities. Apparently, according to Mike Lynn, there are a number of as-yet undisclosed issues with Cisco.

"That's the one that really scares me," Lynn said, noting that the bug he revealed in July only affected routers configured in certain ways or with certain features. The new one, he said, "is in a piece of code that is so critical to the system that just about every configuration will have it. It's more part of the core code and less of a feature set,"

Is it just me or does anybody else think it's bad form to spread this kind of FUD when it's somebody else's vulnerability to disclose (in this case ISS) and there's no vendor fix. Thanks Mike for getting us all frothed up and not giving us anywhere to go...

What's the deal with RSA!?

According to eWeek, RSA is "reshuffling." Apparently, they've purchased Cyota, they're reorging the whole engineering staff (yikes), and they've lost their CFO! Look, I'm all for RSA buying companies - RSA needs to do something in order to stay alive (their revenue is at flatline right now), and they need to do it fast while there's still something left to buy stuff with. But they need to be smart about it - no aimless flailing around looking for a new business model. In my opinion - Cyota isn't going to get RSA where they want to be. What are they getting from Cyota? Cyota primarily targets FS and has 2 types of products: there's fraud prevention and B2C two-factor auth. Uh-oh.

First of all, I've said it before, and I'll say it again - two factor auth is going nowhere in FS. RSA says, "Financial services customers, in particular, are looking for different types of authentication solutions," but I have yet to speak with anyone actually in FS who has more than a passing interest.

And their fraud prevention can be summed up in two words: "payments" and "phishing". Uh-oh again. Is Verified by Visa still around? I thought it went the way of SET. Look - until Amazon and WalMart support VBV by default this technology is going exactly nowhere. The top priority for an online merchant isn't fraud-prevention - it's keeping shoppers from abandoning their carts. Slow or unresponsive servers mean abandoned carts. Bank's authentication servers have a different set of needs - and you can bet your bottom dollar that maximal performance for the VBV server isn't a top priority. From the merchant's point of view, having to make requests to some "could be faster" bank authentication server in order to authentication the user (again) adds to the transaction time - and leads directly to lost sales. Do you think preventing 100k in fraud is worth losing 3M in lost sales? Not an equation I'd be comfortable with if I were Amazon. Look, despite the shift in liability offered by VBV, the economic incentive is for merchants *NOT* to support it.

The only potential upside is the Cyota anti-phishing. They don't make enough information available on their website for me to criticize it, so maybe it's great and worth the huge bucks RSA's laid out. But I doubt it.

Malware FUD and Flames

In case you haven't been following this, the AV-Comparatives November 2005 results are out. If you follow the link, go to the Comparative #8 halfway down the page; I apologize for not providing a direct link, but I'm following their "Terms of Use" and linking to anything other than the "main page" is verboten (literally - it's a German site.)

Here's my take on this. On the one hand, I find the fact that AV-Comparatives is doing independent research on AV accuracy to be useful to the community. I would take issue with some of the specifics about the methodology (like the lack of easy-to-follow transparency into the lab testing,) but that's just a minor point. On the other hand, I find the ridiculous FUD that their reports are being used to perpetuate to be reprehensible. "Majority of... Corporations are Vulnerable...", "Alarming Findings..." etc. Granted, this noise isn't coming from AV-Comparatives and instead from ESET, but maybe AV-Comparatives could use their copyright to distance themselves from the FUD. So, sort of "mixed props" to AV-Comparatives.

Also, I'm interested to see how StopSign plays out in the long-term. Interestingly, they have chosen to almost completely ignore the security community and are instead focusing a tremendous amount of marketing dollars on the public at large: you won't see them in SC Magazine, Information Security Magazine, or the like but you will see them on CNBC's SquawkBox, MSNBC, on CNNfn, etc. I'm curious to see how well this tactic works in the long-term. I haven't used the product, so I can't comment on how it works per se, but I'll be keeping my eyes open.

Scott Borg Newly Appointed DHS "Debbie Downer"

The cyber attacks of recent years have been relatively unsophisticated and inexpensive compared to the potential of organized attacks... Organized attacks by teams of hackers... could have a huge impact on a nation's economy... We will probably see terrorist groups, criminal organizations putting together combinations of talent...

Wow. Does anybody have a straight razor or some sleeping pills? What a bummer. What kills me about this is that he's not wrong; I hate FUD (Fear, Uncertainty, Doubt) and I particularly hate FUD in the media. However, Scott has a point, and thinking it over, I think it's good "due diligence" for the DHS to listen to what he has to say. Not that I'd want to share a cab ride with the guy.

Any security practitioner worth his/her salt knows the traditional wisdom that most threats come from the inside. I've worked in financial services, so I'm pretty well versed in how security in that sector goes down (i.e. it's just like everywhere else.) So, I think it's not out of line for someone like Scott "resistance is futile" Borg to point out that if baddies could coordinate an attack with collusion from the inside - that they could do some serious damage. It's not necessarily a new idea (it was, after all, a plot point in the movie "Fight Club"), but somehow Scott puts some super-depressing English on it that really makes it slam home.

SANS and OSX

There's been a lot out there for the diligent security practitioner to read about the Mac the past couple weeks. Adam Shostack has some great ranting over at Emergent Chaos, we've ranted about it here, and now even SANS is ranting about it. Usually I'm pretty critical of SANS, but in this case, my hat is off to them for finally helping to dispel the myth that Macs are somehow inherently more secure than the rest of the world - a completely ridiculous notion.

In semi-related news, as those of you who follow this blog know, one of new startup companies we've been keeping our eye on over here is the Trustifier product from Googgun - I heard about a week or so ago from Rob at Googgun that the plan is for them to have a Mac version. Sounds like a good move - from both a product and a marketing perspective (given the amount of interest in OS X security nowadays.)