Security Curve Weblog

eEye Sells Us Down the River

In a recent bout of press-mongering, eEye has decided to "predisclose" a security issue in SYMC's software. In other words, eEye has published a report saying that there is a vulnerability and what products it impacts, but doesn't give any of the actual details pending a patch from Symantec. Because of the eEye hype, outlets like CNN picked this story up and ran with it, painting a pretty damning picture.

Frankly, I'm surprised that eEye is doing this. While it serves their purposes of generating press (that is, after all, what eEye's always been best at), it's clearly antagonistic to Symantec and I would argue that it puts users at risk. Folks at eEye would probably assert that it's not dangerous to the community because no details of the exploit were published. However, in the article, it's pointed out that eEye demonstrated the vulnerability to the Associated Press... What assurances did eEye have that these AP journalists weren't technically astute enough to understand what about the situation would exploit the vulnerability? Isn't it within the realm of possibility that the journalist witnessing the exploit in action might knowningly or unknowingly divulge enough information to their readers to let the cat out of the bag? If this is going to be eEye's standard disclosure process going forward, doesn't this seem a bit dangerous?

Alright, assuming that the open demonstration of the issue to the press won't lead to the details being exposed - how far along is Symantec in the patch process? Maybe a patch is right on the heels of this, but I suspect it probably isn't. Even if a patch was imminent when eEye made their announcement, anything could happen over at Symantec to delay a release - QA problems could arise requiring more testing, additional information could be discovered about the patch that requires a rewrite, etc. Since eEye didn't wait for the patch, they don't know what might happen internal to Symantec to slow down the patch development. So, attackers have an unspecified period of time to go over the SYMC AV product with a fine-toothed comb in case they're looking for this issue.

So, to sum up:

1) Attackers now have a "lead" on where to look to find a juicy issue
2) Symantec has a full-blown marketing issue to contend with as they struggle to patch this 0-day
3) There's the potential for eEye researchers, AP journalists, or other "in the know" people to divulge information about this ahead of a patch

Needless to say, I'm not happy about what eEye's done here. In particular, I'm upset becuase of their hypocrisy. Either you respect the disclosure process and let the vendor release a patch before disclosing or you don't. But don't pretend you're an upstanding citizen while at the same time undermining security for millions of people and sabotaging another firm's image to get press for yourself.

Oracle on Software Security

Oracle has (probably wisely) been keeping their head down the past few months, so imagine my excitement when I saw that IDG put out this where Oracle discusses their approach to software security. And there's some choice stuff in there - the article starts with Mary Ann Davidson commenting on the "unbreakable" campaign. Talking about her reaction when she first heard it, she said "my response was 'What idiot dreamed this up?" What idiot, indeed. I'm not going to fault her for this criticism, since I happen to share her opinion. However, a stickler could make the point that she saw things as a little less black-and-white back in the day:

"We believe the market effect of the 'Unbreakable' campaign raises the security bar and therefore improves security overall, both in forcing us to live up to the statement, and forcing others in the industry to begin to do the same. If our security today is imperfect but better than the competition, and if customers make a buying decision based on that criteria, than in the long term you will see all products in the market improve."

Oh well, not that it matters now. The article then moves on to discuss internal Oracle development security efforts. Given Oracle's track-record in security, I'm surprised that they're running with this message. For example:

Davidson said the record for fixing one defect was 78 patches, which cost the company around $1 million.

If this were you, would you broadcast having to issue 78 patches to fix one bug? Yeah, I probably wouldn't either. As to whether or not they are getting better, I think it's too early to tell. However, I guess we'll find out in time...

MPAA High on the Peyote?

Something is seriously wrong with the MPAA... You've probably already heard about the recent MPAA decision to sue people for linking to stuff. If you haven't heard about this foolishness, it's worth looking it up... About a month ago, he MPAA decided to sue a basketful of Usenet and Torrent related web sites for facilitating illegal downloads. What's really strange about the Torrent stuff is that they don't host or transmit copyrighted material - they link to it. So, according to the MPAA, if you tell somebody where to go to get pirated material, you immediately become part of the illegality. To use a physical-world analogy, if somebody comes up to you on the street and asks where they can buy a pirated DVD of "The Little Mermaid", you're doing something illegal if you say something like "try asking that dude with the movie table down on 5th Ave".

But I digress. The point isn't about that stuff... It's about the completely crazy event that came to light yesterday about what the MPAA has been doing to support the case against these guys. Apparently, according to a complaint from yesterday, the MPAA has hired a hacker to break into TorrentSpy's computer equipment, steal proprietary information, dumpster-dive, and so on. Creepy. Without TorrentSpy's claim to have the documented agreement between the hacker and the MPAA rep, I would suspect someone of making this stuff up. I guess we'll see how concrete the documentation is as the trial gets underway.

Safe Mode! Are They Kidding?

In case you've been stuck in a cave for the past week, there's a new 0-day Microsoft Word vulnerability circulating. Microsoft has acknowledged the issue in an advisory, and they are currently working on a patch. However, since it'll be a couple weeks before a patch is forthcoming, they're proposing a workaround in the meantime: use Word in safe mode only and make a few minor changes to the way you use Word in the interim until a patch is released.

According to MIcrosoft, protecting yourself from this issue is easy - just follow a few simple steps:

1) change anything that starts word (shortcuts, etc.) to use the /safe swtich
2) change Outlook to not use Word as the editor
3) change your email client to never launch word
4) change your browser to refrain from launching word
5) refrain from opening word files that may be embedded in other applications (e.g. Excel).

Oh, and don't forget to keep an eye on the Word titlebar anytime it starts to make sure it says "Safe Mode" each and every time you use Word. Of course, if you don't have Administrator access on your machine, you may need the assistance of the helpdesk to make some of these changes.

Simple, right? NOT! Really, how many users does Microsoft think will actually follow this procedure? Look: I'm a security professional and I know about the problem - and I'm *still* not going to follow the suggested steps because they're so intrusive and time-consuming. If I'm not going to do it, how likely is it that Old Uncle Jebadiah who barely knows how to check email is going to do it? That's about as probable as Ashlee Simpson winning a Grammy for "Best Vocal Performance".

So where does that leave us? Here's a 0-day remote execution issue that impacts 90+ percent of the desktops in existance, *and* the vendor suggested workaround is so convoluted that we can be certain nobody will do it. Let the countdown to the malware-storm begin. Thanks, Uncle Bill!

Awesome Take on the Daily Incite

If you're not reading it already, I highly recommend reading Mike Rothman's Daily Incite. Today, he's got an awesome take on the fluffy "research" Yankee put out yesterday - and trust me, somebody needs to take Yankee to task for it. Anyway, check this out:

I love it when analysts tell us what we already know, and then try to spin in into why customers should buy their services. Yankee Group is today's offender. They did a survey (you know how much I like surveys) of some small business owners and amazingly enough SMB folks are worried about security. WOW! They also end up deferring some security investments because of budgetary issues. Shocker! The insurance gets deferred because they have to pay the electric bill. Then an association of VARs points to the Yankee survey to highlight the "dangers" of taking security advice from peers. Of course, what they need are VARs to tell them exactly what to do, which amazingly correlates to which vendor is providing the best SPIFFs this month. Sometime marketing folks make me nuts.

eBay's "Security Chief" is the Man!

The head of security for eBay "down under" (Australian IT) is fairly hard on information security practitioners in a recent article. However, In contrast to that guy from a few weeks ago who was spewing all the hyperbole about infosuckitude, the eBay guy has a point - and he provides some suggestions for how to make things better. And no, I'm not being sarcastic. Check out what he has to say:

"There is nothing new about the Internet crimes we see and there is nothing new in the ways we have to fight them..."

"We have phishing one day, spear phishing the next, deep sea phishing and puddle phishing. All of them are variations on a theme and none of them different to the other crime"

Right?!? How cool is this guy?

Coolness

What's awesomer than Activision's Vampire: Bloodlines RPG? Easy: Bloodlines with the Unofficial 2.2 Patch!

Rethinking McAfee Research

If you've been following my meanderings over the past few months, you know about the Rootkit report where they say that rootkit incidents have risen 2300 percent over the past two years, and you've seen their assertion that we're on the "cusp" of a phone-borne malware attack. Of course, I don't subscribe to any of that. However, I came across this article today citing the McAfee OS X Malware paper where McAfee warns Apple users about the possibility of "chip-based" malware. Sigh.

Needless to say, I don't think this is a real possibility. We haven't seen malware propagation via a hardware vector ever and I don't think we're likely to see it start happening now. As any programmer will tell you, as more time goes by, operating systems offer fewer mechanisms for a developer to interact directly with system hardware. Since the introduction of the HAL in Windows NT, there are fewer and fewer ways for a developer to directly address hardware components from the application layer. Not to mention the fact that the number of different permutations of components makes it almost impossible to ensure compatability even on the same model system. One has to ask the question why some virus or worm would interact directly with hardware components, when it is a million times easier to propogate without doing that. So they can infect OS X? Not likely.

Cool Infosec Resource

Throughout the course of my travels, I came across an interesting resource: the Infosecpedia. It is, as the name implies, an information security wiki. Anyway, it's pretty darn cool - cool enough that I'm thinking about contributing. Maybe one article a week or so. Not that I have a ton of free time, but this seems to me like it could be an awesome resource.

On Remingtons, Magnums, and CISSP

In case you haven't heard, a bunch of folks in our industry are pretty fired up. They've gotten it in their head that the worst thing that could possibly happen to the noble institution that is CISSP is for college students to get certified. The contention is that CISSP is supposed to just be for security practitioners, and college students can't have the type of real-world experience required in order to legitimately obtain the cert. ISC^2 retorts that they are not giving away *real* CISSP's - but instead a sort of "CISSP-lite" that would be in place until the students got the experience required to move to the full-blown CISSP once they've cut their teeth.

All the brouhaha leads me to once again question the current certification process. Clearly there are issues, and all you have to do to see them is consider the "value" of the CISSP to the practitioner vs. the "value" of the CISSP to ISC^2. There's a fundamental disconnect between what motivates people to get CISSP's and what motivates ISC^2 to give it out. Look, the practitioner derives value from holding a CISSP due to its "exclusivity"; in other words, the fewer people that have the certitification, the more valuable it is to the credential holder - that's why this issue with the college students is causing such a ruckus - it decreases the exclusivity of the cert. On the other hand, ISC^2 (as a for-profit entity) derives "value" from the CISSP due to popularity. That is, the more popular the cert is, the more people that they can get certified; the more people get certified, the more money they make - that's why the college students thing seems like such a good idea to ISC^2. These two sets of goals, while balanced for the short-term, are at odds over the long-term.

Of course, the true malcontent would say that the value of the CISSP is neither about popularity nor exclusitivity, but is instead about utility. In which case, CISSP is already being eclipsed by yet another security certification - the most majestic of certs - the PI license. Umm... Yeah. See, since information security is (as a whole) an unlicensed discipline, practioners without CISSPs are just as free to practice as those with - CISSP may (or may not) increase your salary, but it doesn't do bupkiss for your ability to do the work. However, a PI license is starting to be mandatory for some areas of infosec. Laughable though it may seem, some states such as Georgia are requireing infosec practitioners to have a PI license in order to provide expert testimony in a court of law. More specifically, when the case involves "acquiring evidence" (e.g. forensics and incident response), only the evidence of a licensed PI is acceptable. So Remington Steele, Magnum PI, or any other cheesy eighties dick has a better chance of getting a slot as an expert witness in a Georgia courtroom than a trained CISSP, CISM, CPA, CPR, CLAP, or any other combination of letters - unless that CISSP is really a CISSPPI (CISSP with a PI.)

So the question to ask if you want to get certified probably isn't "how much experience do you have in security" but "do you look better in a tux or a hawaiian shirt?"

This one was funny...

Pete responds in a humorous way to that foolishness that we were griping about yesterday. Pure hilarity:

I eagerly await his Part 2 solution to the problem of failed security. I am going to go out on a limb and predict that he will recommend Mo' Better Security (tm). Something failing? We need more of it, of course.

Check out the full post over at Spire.

Infosec "Prophet of Doom"

Everybody and their brother is blogging about the recent Security Absurdity rant "The Complete, Unquestionable, And Total Failure of Information Security". Due to the near tidal-wave of interest from the blogosphere, I decided to check it out and see if it was, in fact, all that and a bag of chips. Anyway, in case you haven't read the article, it's basically a laundry list of why information security sucks and why infosec practitioners are a group of bumbleheads - or at least that's my paraphrase, but I don't think it's an unfair one.

Basically, the premise is that the security community in toto has failed (in his words, "[failed] ourselves, our community and the people we are meant to protect") grievously and that we should all be ashamed of ourselves - we're apparently ignoring the stench of defeat clinging to us because of the fact that "business is booming" in infosec. Quite a condemnation, no? Or at least it would be if it were the case. So is it? Are we all dismal failures? I happen to not think so, but let's investigate...

Boiling down the content of the paper, the assertion that infosec has failed is predicated on the observation that there are threats, and that there are people taking advantage of those threats. It goes on to relate a laundry list of those threats, and the unfortunate ramifications of those threats being exploitated. Where I think the argument breaks down, is in the implication - I don't agree that the exploited threats imply the failure of security as a discipline. Look at this by analogy - if a bank has a bunch of security guards defending the vault, are the security guards always at fault if there's a theft? Or if a counterfeiter is able to make fake currency, has the secret service "completely failed" because of the fact that fraud could take place? I happen not to think so... In the physical world, just as in the digital world, risk management is about balancing threats with countermeasures, and producing a strategy for risk reduction commensurate with the risk. But this paper isn't about risk management - the cost/benefit of security isn't even mentioned...

Anyway, I think this paper is worth a read, but I don't think we should all hang our heads in shame as the author suggests. If you're going to read it, remember that the best kind of constructive criticism offers suggestions for improvement - in this case the author stops short of presenting anything to make the situation better (that's apparently for "part two" of the rant.) Dale Carnegie told us that "any fool can criticize, condemn, and complain" - but complaining doesn't help the situation get better.

More Smasher Goodness

Atom's done it again. This time, he's got the Gas Station Sign Generator and the Construction Sign Generator. As always, these are too good!

Keystone Cops go Virtual

As a security guy, I've always viewed law enforcement as "brothers and sisters in arms" - I've always felt a close comraderie with the folks whose job it is to go out there and bring the bad people to justice. After all, isn't that pretty much what we're trying to do as security people? But recently it seems like law enforcement is making it tougher and tougher for us infosec folks to do our job.

Don't believe me? Check out the recent prosecution of Eric McCarty for pointing out a web application security flaw exposing personally identifiable information on the University of Southern California. Here's a guy who found a flaw in a public web app, brought it to the attention of the folks over there, and got arrested for his efforts. Apparently, PII was avialable through the webapp, McCarty noted this, anonymously divulged the information through a third party (with the intention of having that get back to the University), and because he looked at that data he was arrested. Now, it seems to me that if the University of Southern California makes subscriber data available through their own incompetence, the folks who happen to come around and look at it shouldn't get arrested for doing so.

Grimes on Monoculture

I saw a fantastic article today by Roger Grimes about the mythology of computing monocultures; great stuff and right in line with (our opinion on this topic):

And if you think patching Windows is hard, try keeping up with several OSes. I sometimes curse out loud because of all the mailing lists I have to track and all the tools I have to use to make sure my systems are patched. I'm pretty sure that, as the number of platforms increases, the amount of consistent, thorough patching decreases.

So, props to Grimes for using his head and for taking a somewhat controversial position.

McAfee Warning about Mac Malware

Interestingly, McAfee has decided to warn us all about the probability of malware appearing for OS X in the near future. McAfee has apparently put out a whitepaper called "The New Apple of Malware's Eye." The Register implies that the McAfee's whitepaper is pretty much a hollow justification for their new VirusScan product for Mac on Intel, but there's actually some good data about the growth of Mac vulnerabilities in the paper. Anyway, it's 6 pages, so it's minimal time invested, and it's a very interesting read.

Malware Statistics Apparently Malleable

Remember when we went through the McAfee "Rootkit Report" and pointed out that their "statistics" were merely reflective of their product rather than actually reflective of what's going on in the real world? Well, today I stumbled across the headline Virus emails drop to record low informing us that virus-laden emails are at the "record low" figure of 1.5%:

...total number of virus-laden emails fell by 56 per cent compared to March's figures, with infected mail now making up just 0.79 per cent of inbound emails...

Bull. Why is it bull? Because this number (and others like them) don't reflect the reality, they only reflect a particular vendor's product - essentially the same point that I raised with McAfee's the rootkit numbers. These numbers reflect the unique nuances of the instrument used to take the measurements - they do not necessarily tell us much about what's going on outside of that. How do we know? Because the .79 percent figure is from the Blackspider statistics; but they're not the only people publishing this stuff.

According to some of their "peers", the April virus numbers were: Messagelabs - 1.5%, MX Logic - 3.8% (7 day window, not all of April), Sophos - 0.7%, EmailSystems - 0.42%, and so on. Look, these may sound like small percentages at first, but when we're talking about 60 billion emails a day, the difference between .8 percent and 3.8% is 180 million emails per day. Over the month, that's a range of error for these numbers +/- 5.5 billion. See what I mean? In my opinion, we would need to see all these different vendor numbers plotted out against each other over time in order to really make guesses about what's really going on under the hood.

The Gigantic "Bull's Eye" on Apple's Forehead

You know that sweet little icon that Apple (the company) paints on their products? You know the one I mean; it's a (usually glowing) picture of a stylized apple (the fruit) with a tiny bite taken out of it. Well, what if I told you that Apple (the company) was going to replace that icon on all it's products with a gigantic friggin bulls-eye that says "hack me, pencil-neck" right in the center of it? Ok, they're not really doing this; at least not literally. What they *are* doing, however, that's likely to generate almost as much attention from the malware community is proclaiming themselves to be completely virus free. Oh, I'm quite serious - check out the advertisement; it's a scraggly looking "I'm a Mac" guy in jeans wiping the nose of the "I'm a PC" guy in a suit. The "I'm a Mac" guy goes on to say how there are so many viruses for the PC, but none on the mac.

Now, I don't know about you but I haven't seen this kind of hubris since Oracle's "unbreakable" campaign. Remember that? I do. I remember that at one point in time, most researchers ignored Oracle and pretty much left it alone... Then Oracle stepped up on the soapbox shouting "we're unbreakable", only to find themselves getting the kind of scrutiny from hackers usually reserved for new flavors of Mountain Dew.

The Mac press has apparently "bought in" to the hubristic message and has decided to run with it. For example, The Mac Observer (in the article "Cutting Through the OS X Security Rhetoric") whitewashes Apple's recent security problems (or, in Mac Observer parlance, the "misinformation being spread by the media") by attempting to "debunk" the recent press that has painted Apple unfavorably. Now, I love my Mac as much as the next guy, but I'm not going to accept a statement like "...it's obvious that Mac OS X is currently a more secure and stable operating system than Windows XP..." without questioning why it's obvious. What data is being used to back up that assertion, because it's not obvious to me?

And, as we know, much of the user community has already bought in in absence of evidence. Check out the comments from the Mac Observer article:

Apple I think responds far more quickly than Microsoft especially if they find something that is dangerous. But they're not going to drop everything for the knit picking that Sans and others say may be or could be type scenarios. .. [For the record, Apple responds consistantly slower than Microsoft, even if the issue is more dangerous. Plus, most of us in the security community tend to view 0-day remotely exploitable bugs with a certain amount of gravity (i.e. not "knit-picking")].

A good reason for Apple's "slow" response time is because of how insignificant the threats are. You can't really expect them to pile in a million technician hours to fix a flaw that is basically theoretical or has only been seen in action once in the wild. [it's true, 0-day remote code execution is hardly worth a developer's time]

Time to Patch

Hey, remember when we were looking at how long it takes Apple to patch compared to other vendors? Well, it looks like somebody took that same concept and ran with it - extending the sample set in order to get better data. Not for nothing, but their more scientifically rigorous approach bears out the humble conclusions that we came up back in March (man I love being right). ;-)

Anyway, in "A Time to Patch III: Apple" (to give due props, I came across it via reference on Emergent Chaos), they tracked how long it takes for Apple to patch vulnerabilities compared to other vendors that have the same vulnerabilities (like Linux, BSD, etc.) The article is worth a read both for the data, but don't neglect to read the humorous comments just below.

Mobile Malware vs. the Goat Sucker

Have you ever heard of "El Chupacabra?" Well, just in case you haven't, El Chupacabra (in English, the "goat sucker") is a South American spiked, fanged, goat-eating beast that strikes terror in residents of Puerto Rico and (more recently) South and North America. There've been hundreds of Chupacabra sightings in the past decade, and there are thousands of people (smart, educated people) the world over who swear that the Chupacabra exists. But scientists disagree. Scientists argue that the Chupacabra is "mass hysteria" ("folie à plusieurs") - they argue that individuals have been subjected to sufficient "hype" to induce themselves to believe in absence of fact. This is not a slight against Chupacabra believers - after all, such a creature *could exist*, tons of reputable people believe in it, victims (mostly exsanguinated goats) have been found, etc. I'm not going to say that it doesn't exist - but I will say that I think it to be unlikely; just because something could exist doesn't mean that it does...

So who cares, right? What does "El Vampiro de Moca" have to do with Information Security? Simple. I think we have a similar form of mass hysteria in Infosec. I think there's a phenomenon (like the Chupacabra) that could exist probably doesn't, that's perpuated by hype, that continues to gain interest in absence of fact, in spite of research, and contrary to the evidence.. I'm talking about, phone-borne malware.

Clearly, there's no absence of hype. Take, for example, the recent Infosecurity Europe show; a hotbed of mobile malware paranoia. McAfee spread the word that "An effective mobile virus is coming; maybe not tomorrow or this year or even next, but it's coming" and "Mobile viruses have definite financial possibilities because there's a clear return... we are on the cusp of an attack." And while McAfee doesn't provide any evidence to substantiate that claim, F-Secure makes claim that new mobile malware is rapidly spreading (only to later grudgingly retract those statements, as there really is no such malware after all.) Clearly, tons of hype, right? It's become so bad that it's starting to impact the way we do business.

But what's the reality? Well, for one thing, the phone manufacturors aren't (in their words) "breaking a sweat" over the possiblity. And why should they? How much phone malware has there really been? A few proof-of-concepts (like Commwarrior and Cabir)? A few strains that require explicit user intervention in order to propagate? Clearly, a user having to respond in the affirmative to the "Infect the machine?" prompt is unlikely to generate a tremendous number of infections in the wild. Ok, ok, so the prompt doesn't really say "infect the machine?", but is "Install Commwarrior?" really that stealthy by comparison? Yeah, I thought not.

There are tons of reasons why mobile malware is unlikely to occur: for example, the lack of a ubiquitous substrate within which to propagate (i.e. smartphones are different from each other and there aren't may of them), the lack of a constant API and featureset on the device, and the lack of a reliable vector for transmission. But the reasons don't matter - what matters is the hype. There is no documented, viable, mobile malware - but since it's in the realm of possiblity that some could develop in the future ("on the cusp" as McAfee says), it continues to fire up the industry and get the press. Analysts call attention to the overblown press and the folks working with this day by day tell us that this is a non-issue but every day, the hyperbole increases.

As for me, until something changes, I'm filing "phone-borne malware" in the back of the closet until the evidence catches up to the hype.