Security Sprint – Malvertising

We’re all busy people. A security sprint should take no more than two hours… which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.

One of the easiest ways for an attacker to get malicious software to a target is to get it running on a popular site. Newspaper and TV sites are popular targets, and since they fund their operations with web-based advertising, that’s where attackers focus. If they manage to compromise an ad server, then they can get their malicious software right on the popular targets without actually having to compromise the targets themselves.

Sadly, this technique is all too effective against the undefended.

Happily for us, it’s easily defended against.

If you run Firefox, you’re in the best shape. There’s an Add On called Adblock Plus. Once you install it, you’ll be prompted to select a subscription from the list. (I just pick the top one.) This list matches most ads and keeps things up to date for you, so if the location of the ad changes, it’s still blocked. So, not only do you not see the annoying ads, but you’re also protected against the “malvertisers”.

I don’t have much direct experience with the non-Firefox browsers, but if you want to use something else, check out Ad Block IE for IE8, IE7Pro for IE7, this technique for combining AdBlock Plus Filters in IE, and PithHelmet for Safari.

I do have to point out that some developers have gotten clever, and code their applications to make sure that ads are loaded, so if you use this trick, expect things like Facebook games not to work. But then, you shouldn’t be playing them anyway.

Security Lessons from Nature – Autotomy

Autotomy is the fancy name that people give to the well-known tendency for certain lizards to throw off their tails to escape predators. The theory, is that the tail will thrash around and distract the predator, thereby giving the lizard a chance to get away. It must be noted that other critters like octopuses, crabs and some starfish also do this, as do sea cucumbers. (Though the sea cucumbers eject their internal organs instead.)

So what does this mean in the business/IT world? Well, the obvious analogy is to distract an incoming attacker by abandoning your resources and letting them go nuts while you relocate your business to Sri Lanka. However, some might consider this approach somewhat impractical.

However, if we stretch the analogy to the point of breaking (much like a lizard’s tail), perhaps it makes sense to build a business strategy around distracting attackers. There are some technologies that could assist with this. A honeypot is often used to trap attacks so that people can learn from them. This has become even easier now that virtualization has become prevalent. All you have to do is join one of many projects and you’ll have a nice fake network to distract attackers.

Another technique is tarpitting. This technology looks at incoming connections, and if they are not approved, it doesn’t reject them right away, but instead extends the time before the connection is closed. Thus, attackers are delayed and, in theory, you gain the time to build a defense.

In practice, of course, you need to actually be watching for the attack and take defensive action. This technique wouldn’t work very well if the lizard dropped it’s tail and then stared dumbly as the dog wrestled the tail into submission, ate it, digested it, napped for a bit, woke up, got a bit hungry than then saw a nearby tasty tailless lizard. So, if you decide to go after this option, you have to remember to “run and hide”. In other words, keep an eye out for the attacks and be ready to block them.

Mythic Monday – Hubris

I made the mistake the other night of watching Blade Trinity. The movie, as a whole, is irrelevant to this point (and all others, really). However it occurs to me that the evil villain, Dracula (yeah, that’s original), suffers from a flaw that is common in many stories. Basically, he is so confident in his skills that he ignores the fact that the hero of story already defeated two movie worths of baddies.

To be fair, other major villains suffer from this same problem: Darth Vader, Lord Voldemort, Lord Sauron… as do heroes: Oedipus, Gilgamesh and Dr. Gregory House. The problem with them all is that their overconfidence leads directly to their eventual downfall. Sometimes, it is dramatic and impressive, other times (like this) it just involves a lot of bright shiny pixels that fly every which way until the filmmaker’s budget is used up.

The lesson to learn, I think, is that hubris kills… often at an appropriately-delayed climactic plot point. Here in the real world, of course, we tend not to have impressive glorious pixely deaths, which just leaves the problem of supreme overconfidence.

In I.T. Security, this sort of thinking often manifests itself as a general feeling of invulnerability against attack. This can be due to an existing investment giving a greater feeling of security than actual security. It can be due to a belief of general supremacy that is undeserved. Most often, though, it is due to a fundamental misunderstanding of the enemy.

Just as Lord Voldemort couldn’t conceive of a bunch of school kids as a threat, and Oedipus allowed himself to think that he had outwitted fate (never, never wise), if you ignore I.T. threats, you render yourself vulnerable to them and, through them, invite your inevitable comeuppance. If you accept your business in all it’s flaws, you’ll know where to protect yourself. If you do not, you may well go out in a blaze of shiny glory that is just as logically inexplicable as Dracula’s shape-shifting powers in this horrible movie.

Should we allow our employees to engage in social networking?

Introduction

The question often comes up: Should we allow our employees to engage in social networking? The debate has raged for years, and surprisingly, it is still not settled. In general, the discussion tends to fall down four possible paths:

1) Social media reduces productivity
2) There are a lot of threats that comes from social media
3) Social media is a new technology and therefore is scary
4) Employees don’t really need social media anyway

So let’s take a look at these:

1) Productivity

Many times the “productivity” topic rages within the security field, which has always surprised me. Keeping employees productive is the responsibility of the business owner, and while I’ve often seen it delegated, I’ve never seen it delegated to either the security people or the admins. Realistically, this is the responsibility of management or HR.

Even then, it seems that every place has slightly different rules as to what is and is not been permitted. In some places, it’s customary to spend hours each Monday morning talking about the previous weekend’s hunting or sporting events. In others, everyone takes off Friday afternoon and sits around socializing before “closing time” hits. In still others, there are required breaks every two hours as well as a mandatory lunch. However, in absolutely none of them is social interaction categorically denied. The prevailing attitude seems to be that so long as the work gets done, the specifics are irrelevant.

Different people work differently and some need the occasional long social break to limit distraction. Humans are social beings and there is considerable evidence that socialization is a deep-seated need in our species*. It seems unlikely that many people could be truly productive without a form of socialization… do the technical means really matter?

Perhaps, instead of banning the technology, it would make more sense to monitor productivity and ensure that any employees that begin to stray are quietly corrected. This would enable you to take advantage of the benefits that the technology offers without necessarily experiencing a productivity hit.

* This could be a long discussion in of itself, but, fascinating though it may be, would distract from the point

2) Threats

A considerable amount of malware and no-tech attacks come from social sites. Twitter is particularly bad, due to the inherent obfuscation used in the TinyURLesque sites (though they’re working on it). However, you can’t live a life that is entirely devoid of risks, and in most cases we don’t approach risks by banning the technology. Instead we take a balanced view and assess risks before we take action. For some reason, many people tend to approach these problems as if it were a game of whack-a-mole, which is a shame.

To draw the over-used analogy to automobiles (a similar technologically-induced societal change), in the rural states, a common threat is deer. We could address this threat by building fences along each highway (Banning) or by constructing a massive array of detectors, implanting RFID chips in each deer and building weapons-equipped automated flying drones that kill any deer wandering onto the road (Intrusion Prevention). Instead, we put up little yellow signs that tell people to be careful. For some reason, we find this a more economical solution, even though it places a slightly higher burden on the drivers to pay attention.

I think that a lot of security professionals avoid the “educate the users” tack because it’s traditionally not worked too well. Of course, a lot of us are also far more comfortable with technology than we are with people, so it is possible that the past failure of education was due to our own failure to educate ourselves on education processes. Maybe, if we were better at making little yellow signs, many people would manage to avoid the majority of threats.

3) New Technology Is Scary

I am sorry to say it, but we security professionals tend to say “no” a lot. I ran into this problem myself recently and used what I call a “shortcut no” — where I said “no” when I meant “yes we could do that, but I think it would be prohibitively expensive”. However, within the security community, when one person’s “shortcut no” is heard as a “true no”, we tend to build up an echo chamber effect and think “no one else is permitting this technology, so there must be a reason, so let’s just say ‘no'”. This, I think, results in the regrettable state of things being banned “for security reasons”.

Changes to technologies and processes must be first analyzed and the risks then be explained to management. At that time, it is their decision. I have encountered businesses that prefer to believe that regulations such as PCI-DSS, the FTC Red Flag Rules and HIPAA/HITECH do not apply to their business. In some cases, I have disagreed, but it is, in the end, their decision. Perhaps the failure was on my part, and I was less than ideally effective in explaining the risks. However, an alternate perspective is that many experience an unconscious resistance to change. The impact of new regulations is change, and in many cases, change may be scary.

Of course, fear of change is part of being human. Luckily, if you know this, you can take steps to address it. One common approach is to take a social media class. If you lack the budget for such a thing, you can also spend a day reading about it online. Good Google terms are social media in business, twitter marketing, facebook marketing, Internet Business Mastery and search engine optimization.

4) Do They Really Need It?

Four years ago I gave a presentation to a group of entrepreneurs about how to leverage technology in a start up. One question I was asked was “Do I really need a website?” I was stunned. I couldn’t imagine a new business without one. Most people I know first check out a business on the web, both for contact information and for reviews. If a business isn’t on the net, it’s invisible. If it’s on the net but no one is talking about it, it’s probably not worth much.

This is even truer today. I don’t think I’ve opened a phone book once in the last year. I’ve found many great resources through word of mouth via the Internet. Social media allows me to research a company in minutes. I can get information faster than ever before on prospective clients, partners and employees. I can check my thinking against that of others in my field. I can research threats, responses and technologies without having to do the test implementation myself. (Though test implementations are still important.) If it weren’t for social media, I would be unable to do my job.

These networked social efficiencies exist pretty much across the board. Alliance Technologies tends to “run light”. Our marketing, sales, support and administration are staffed at a level far lower than other comparable companies, simply for this reason. If we didn’t have social media, we’d have to double our staff.

Clearly, not all companies are the same. However, the effectiveness of social media in all aspects of our business leads me to believe that it’s generally useful to most businesses.

A) We Can’t Stop Them Anyway

Trying to stop people from socializing is a doomed effort. You can draft and implement all the polices you want, but if they go contrary to human nature, they will not be followed. Moreover, if they are burdensome, they will be actively rebelled against. Do you really want to spend your time protecting against outside attacks while your inside people are working to bypass your web filters, firewalls and IPS systems? I know that I don’t.

Practically speaking, web filtering technology works, but nothing is perfect. You can block most sites in a category, but there is always a way around it. You can block gambling sites, but you can’t prevent an employee from placing bets via email or SMS on their cell phone. You can block porn sites, but can’t keep someone from bringing a magazine into the office if they really want to. Generally, you just raise the barrier high enough to say “management would rather you not do this stuff” and people will take the easier path. Even then, saying “don’t gamble” and “don’t look at porn” are vastly different messages from “don’t talk”. Banning social media is equivalent to banning talking at the water cooler, over the cube walls or in the hallways. If you try, you’ll experience a lot of pushback… and as employee generations shift, the pushback will grow.

Personally, I’d rather focus my efforts towards bringing the employees in line with business goals and then combating actual threats against the business. To do otherwise is just spinning in circles.

(This post originally appeared over at Alliance Technologies)

Security Lessons from Nature –

The Blue Glaucus, also known as the sea swallow, blue sea slug and blue ocean slug (’cause one name just isn’t cool enough for this sucker) is, as Wikipedia says, a pelagic aeolid nudibranch, a marine opisthobranch gastropod mollusk in the family Glaucidae. Which is fancy sciency way to say it’s a slug that lives in the ocean. (If you like to geek out on sciency stuff (like me), read this, and this and this.)

What makes this little critter particularly interesting is that it eats Portuguese Man o’ Wars (should that be “Men o’ War”?). Not only is it immune to the venom, but it also has the ability to absorb the stinging cells (sciency term: nematocyst (aka cnidocyte, ’cause they’re cool too)). It can then concentrate the cells of all the Portuguese Mens o’ Wars it eats and thereby pack a stronger wallop than the original predator.

Business-wise, our friend Glaucy basically performs a hostile takeover, absorbs the general features of the acquisee (proteins) and concentrates that which make them unique (nematocysts/cnidocytes). The lesson here, I think, is to look at what makes others unique and not necessarily one what you have in common. That’s not to say that commonality isn’t important… no acquisition is going to work out if you don’t share common proteins. However, a strategic acquisition isn’t going to be massively successful unless you can take advantage of and preserve the uniqueness.

The same holds true of employees. If we hire employees, it is presumably because they have skills that set them above the rest. (After all, everything else can be automated these days.) Does it really make sense to push them all towards the same lowest denominator? Wouldn’t it make more sense to give each the tools they need (both technical and cultural) to maximize their success? By doing such, you have effectively turned them into little stingers that can pack quite a punch. Then, the trick would be to set them up in teams, so their punch can be concentrated.

Of course, the other lesson to learn from Glaucy is that it’s not just a mass of stinging cells. In order to be a successful organism, it must still move around, hunt and eat. Thus, priority one is successful operation (not uniformity), and priority two is concentration of attack/defense. I often find myself falling into the trap of forgetting about operations and trying to promote uniform environments and tool consolidation in the name of security. After all, that’s best practice right?

Wrong.

Best practice is protecting the business. That means making the business as successful as possible. I’m afraid that we security practitioners often mistake the process for the result. Uniformity is a tool to promote control and control is a tool to promote security. However, as soon as the costs of uniformity and control get in the way of the success of the business, they harm security instead of benefiting it.

Mythic Monday – Bulgarian Scope Creep

There is a Bulgarian creation myth where in the beginning, the earth was just a tiny island. Cohabitating on this island were God and the Devil (guess they were more friendly then). One day, perhaps following an Oscar and Felixian roommate dispute, the Devil suggested that God take a nap, planning that whilst the almighty creator was slumbering, he could be tipped into the ocean. I guess that, in Bulgaria, one can be omnipotent and omniscient, and still somehow fail to gain their B.S.C and S.S.C..

Anyway, as the Devil attempted to push God off the island, the island magically expanded in each direction (it’s clear from this story that the Devil wasn’t omniscient), so that nary a toe got dampened. The shoreline simply grew in each direction and, by the time the Devil gave up, the island had expanded to the size of our current Earth. Which basically means that the state of the Earth today is due entirely to Devil-induced scope creep.

It explains a lot, doesn’t it?

Scope creep is a danger in all projects. It doesn’t matter whether you’re developing an application, enacting a security program or just shopping for groceries, scope creep can blow both your budget and deadline. It’s tempting when you’re working on something to just add a little piece here and there because it will make future work easier. Unfortunately for the business, integer math insists on summation, and so long as businesses are profit-focused, integer math is going to be important. From a security perspective, scope creep is additionally dangerous because it complicates things. Complicated things are harder to secure than simple things. The simpler you can keep a project, the better you can understand it, so the easier it is to secure.

Scope creep, of course, is most dangerous when shopping. A while back, I stopped by the store to pick up some basics (apples, bananas, yogurt, etc), and I noticed that winter squash was on sale… so my scope expanded a little bit and two squash wound up in my cart. Later, once I got home I realized that I had no idea what to do with them (other than the basic roast squash, which is boring). After consulting one of my cook books, I discovered that I needed a few more things. After another shopping trip that involved carrots, celery, onions, garlic and broth, I soon had two soups a simmering. Regrettably, the last step for each soup involved a blender, and the blender I had was incapable of dealing with the increased complexity of my soups. It quickly suffered what I must refer to as a catastrophic containment failure which necessitated another trip to the store to get a new blender.

All told, my initial scope creep of two impulse-bought squash cost me over a hundred dollars in ingredients and blender replacement, not to mention the ridiculous amount of time wasted in the endeavor. While I am thankful that I was able to find the blender-related security hole and believe that I have effectively mitigated the risk, life would have been much simpler had I not needed to.

I’m blaming the devil.

Advanced Persistent Threat (APT)

There has been a great deal of discussion in the security community about APT. The link covers it at a high level, but in a nutshell, it’s type of hacking that is distinguished by people who have the time and money to target specific individuals and organizations. Since the number of resources (time and money) available to the attackers are at a much larger scale than what the defenders can muster, a lot of people are calling this a game changer.

As usual, the battle lines seem drawn along traditional lines, with both sides claiming that the other “doesn’t get it”. For a quick read, check out Richard Bejtlich’s post and MANDIANT’s post and, for a counterpoint, check out Gunnar Peterson’s.

Of course, they’re both right. Neither side gets it. Both are blind. Those that work enterprise security consulting see APT everywhere… mostly, I suspect, because in the enterprise security space you only call the consultants when it’s something particularly troublesome (like APT). Of course, once you’ve focused on APT, that’s what you get called in on, so the problem probably looks bigger than it is.

In contrast, those of use that don’t consult in those spaces don’t get those calls, so we don’t see it. We also probably don’t have the transparency needed to see such activity if it is going on in our organizations. So we minimize the threat.

So what do you do about APT?

I suggest that you consider the following checklist:

  1. Do you have a firewall?
  2. Does your firewall block outgoing connections?
  3. Do you have local antimalware running on all your endpoints?
  4. Do you have a web filtering solution in place?
  5. Is all access to all systems monitored and audited regularly?
  6. Do you have a process in place to pull all legacy systems off your network?
  7. Do you have a patch management system in place?
  8. Do you have a vulnerability management process in place?
  9. Do you matc all system configurations against hardened templates?
  10. Do you have a data classification policy that applies to all your data?
  11. Are you encrypting your important data?
  12. Do you have a log retention and management infrastructure built?
  13. Are you running an IDS/IPS system?
  14. Do you have third party management systems in place?
  15. Are all of your web applications running in hardened stacks?
  16. Are you using web application firewalls?
  17. Are you using database firewalls?
  18. Do you have regular employee awareness training?
  19. Are complete penetration tests conducted against your organization?
  20. Do you have an Internet data monitoring and scrubbing policy in place?

If the answer to each question is “yes”, then you should worry about APT. This is not to say that if any of these are “no”, you don’t have APT going on in your environment. I’m saying that there’s no point pursuing a full on anti-APT strategy until you have the basics in place… and there are a lot of basics. I’m also not saying that any of these technologies will prevent APT (or any security issues), or that all problems even have technical solutions. These are just 20 questions that explore what a minimal and sufficient security solution looks like for the average business.

If you don’t have a minimal and sufficient security solution in place, it’s not that APT isn’t a threat or that an unknown enemy isn’t out to get you… it’s that you probably have more important things to be working on.

Bias Thursday – Déformation professionnelle

While I am not a psychologist, a good understanding of psychological issues is an important part of a full security practice. These themed posts are likely to be incomplete, as I am just exploring some ideas and how they might apply to security.

Déformation professionnelle (which Google translates as “professional distortion”) is the tendency to consider situations from the perspective of your profession.  The classic example is the joke “when all you have is a hammer, every problem looks like a nail”. What I’ve noticed, though, is that “profession” seems to apply to business divisions now. We’re all getting extremely specialized, and that seems to create what we can call “a failure to communicate”.

Take, for example, the concept of risk. In the security field, risk is bad and the steps that can be taken to avoid risk seem reasonable. However, in the business field, risk is viewed in terms of the potential gains that the risk can provide whereas the steps to avoid risk seem likely to cause problems and will therefore impact the bottom line. Similarly, admins and developers are likely to resist the perceived difficulties in implementing the mitigation strategies.

Again, there are both offensive and defensive capabilities to this bias. Offensively, simply knowing a target’s profession can give you a good chance at predicting their responses. If you have a planned proposal, you can practice it against others in the same profession and tweak it before you present it to the people that matter. You can be aware of the context in which they will likely view your ideas and work on expanding their context before you get to the hard stuff.

Defensively, like most biases, you just have to be aware that you will likely view things within the context of your profession. Thus, if you are having conversations with those outside of your profession, there is a higher likelihood of misunderstanding. If you find yourself reacting negatively to something someone else says, you should check and see if maybe that reaction is because you are coming at things from different contexts.

As an note to this particular bias, I have occasionally been asked why I blog the way I do. Other than the fact that the Internet doesn’t need yet another voice in the Security echo chamber, I find that forcing myself to consider issues from different contexts (mythological, natural, psychological, etc) allows me to understand the issues at a deeper level. I don’t know if it gives me any advantage over the usual advantages that one gains by taking time to think things through and write them up… but it doesn’t seem to be hurting.

Security Sprint – Firefox Profiles

We’re all busy people. A security sprint should take no more than two hours… which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.

If you use Firefox as your primary browser, there’s a feature that you’re probably not taking proper advantage of. Firefox stores your personal data in a profile. This includes your bookmarks, passwords, cookies and add ons. The advantage here is that you can tune your Firefox configuration to what you’re doing… and somewhat segment your data.

For example, I have my normal browsing profile which includes a bare minimum number of add ons Adblock Plus, LongURL Mobile Expander, Web of Trust, BetterPrivacy, Cookie Safe and NoScript. Then, if I am conducting offensive security work, I use a profile that is loaded with some attack tools like SQL Inject Me and XSS Me. Similarly, when I’m doing web development or troubleshooting, I have a separate profile that loads Web Developer and Live HTTP Headers. This approach keeps my normal use fairly light and allows me to load the extensions that I need when I need them.

In theory, it also keeps my passwords and cookies a bit safer than usual.  It’s not as secure as using a completely separate user account or even computer for doing dangerous activities, but it’s better than not doing anything at all.

To do build your own profiles, go here and launch the Profile Manager. Then, when you start Firefox, you will get dialog asking you which profile you wish to run. From there, it’s just a matter of picking which mode you wish to work in and selecting the appropriate profile before you start.

Security Lessons from Nature – Happy Groundhog Day

Happy groundhog day.  In honor of this special day, you get a picture and a scatter-shot of groundhog facts:

  • The groundhog is also known as a whistle-pig, due to its tendency to make a whistling noise when predators are near.  Much as monitoring systems will send SMS or email messages when an attack occurs.
  • Groundhogs have two layers of fur, both a soft undercoat and a guard hairs.  This is a classic defense in depth strategy, against both cold and damp threats.
  • Groundhogs mostly eat plants won’t pass up the occasional delicious grub or bug.  This allows them to supplement their dietary needs without having to track down the rare vegetative high-protein source like nuts or beans, which are needed in small quantities at various points in their lives.  This is much like an organization hiring a 1099 resource as needed.
  • They are one of the few creatures that truly hibernate and are generally utterly non-responsive for four to five months… which has no direct correlation to business, but there are days when I wish it did.
  • They have a wide range of predators, including owls, dogs, bears, bobcats and coyotes.  Younger ones are vulnerable to snakes and hawks.  Much as a security program is constantly evolving and loses vulnerability to some threats but not others, the successful groundhogs grow large enough to be immune to the snakes and hawks.
  • When predators strike, groundhogs will escape them by running to emergency burrows (hot site) or up a tree (cold site).
  • Groundhogs are mostly solitary but also live in small communal burrows.  This allows them to share the alerting responsibilities and leverage one another’s expertise… in much the same way that small teams can work most effectively in a small conference room where they can collaborate.
  • The groundhog is in the Sciuridae family along with the squirrels (and a fragment of their genetic code can be found here (as part of the SequenceJuxtaposer project (which has nothing to do with security, but is still pretty neat))).

Image in the Creative Commons and is courtesy of ~Sage~ on Flickr.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.