Security Sprint – Malvertising
- At February 17, 2010
- By Josh More
- In Sprint
- 0
We’re all busy people. A security sprint should take no more than two hours… which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.
One of the easiest ways for an attacker to get malicious software to a target is to get it running on a popular site. Newspaper and TV sites are popular targets, and since they fund their operations with web-based advertising, that’s where attackers focus. If they manage to compromise an ad server, then they can get their malicious software right on the popular targets without actually having to compromise the targets themselves.
Sadly, this technique is all too effective against the undefended.
Happily for us, it’s easily defended against.
If you run Firefox, you’re in the best shape. There’s an Add On called Adblock Plus. Once you install it, you’ll be prompted to select a subscription from the list. (I just pick the top one.) This list matches most ads and keeps things up to date for you, so if the location of the ad changes, it’s still blocked. So, not only do you not see the annoying ads, but you’re also protected against the “malvertisers”.
I don’t have much direct experience with the non-Firefox browsers, but if you want to use something else, check out Ad Block IE for IE8, IE7Pro for IE7, this technique for combining AdBlock Plus Filters in IE, and PithHelmet for Safari.
I do have to point out that some developers have gotten clever, and code their applications to make sure that ads are loaded, so if you use this trick, expect things like Facebook games not to work. But then, you shouldn’t be playing them anyway.
Security Lessons from Nature – Autotomy
- At February 16, 2010
- By Josh More
- In Natural History
- 0
Autotomy is the fancy name that people give to the well-known tendency for certain lizards to throw off their tails to escape predators. The theory, is that the tail will thrash around and distract the predator, thereby giving the lizard a chance to get away. It must be noted that other critters like octopuses, crabs and some starfish also do this, as do sea cucumbers. (Though the sea cucumbers eject their internal organs instead.)
So what does this mean in the business/IT world? Well, the obvious analogy is to distract an incoming attacker by abandoning your resources and letting them go nuts while you relocate your business to Sri Lanka. However, some might consider this approach somewhat impractical.
However, if we stretch the analogy to the point of breaking (much like a lizard’s tail), perhaps it makes sense to build a business strategy around distracting attackers. There are some technologies that could assist with this. A honeypot is often used to trap attacks so that people can learn from them. This has become even easier now that virtualization has become prevalent. All you have to do is join one of many projects and you’ll have a nice fake network to distract attackers.
Another technique is tarpitting. This technology looks at incoming connections, and if they are not approved, it doesn’t reject them right away, but instead extends the time before the connection is closed. Thus, attackers are delayed and, in theory, you gain the time to build a defense.
In practice, of course, you need to actually be watching for the attack and take defensive action. This technique wouldn’t work very well if the lizard dropped it’s tail and then stared dumbly as the dog wrestled the tail into submission, ate it, digested it, napped for a bit, woke up, got a bit hungry than then saw a nearby tasty tailless lizard. So, if you decide to go after this option, you have to remember to “run and hide”. In other words, keep an eye out for the attacks and be ready to block them.
Mythic Monday – Hubris
- At February 15, 2010
- By Josh More
- In Mythology
- 0
I made the mistake the other night of watching Blade Trinity. The movie, as a whole, is irrelevant to this point (and all others, really). However it occurs to me that the evil villain, Dracula (yeah, that’s original), suffers from a flaw that is common in many stories. Basically, he is so confident in his skills that he ignores the fact that the hero of story already defeated two movie worths of baddies.
To be fair, other major villains suffer from this same problem: Darth Vader, Lord Voldemort, Lord Sauron… as do heroes: Oedipus, Gilgamesh and Dr. Gregory House. The problem with them all is that their overconfidence leads directly to their eventual downfall. Sometimes, it is dramatic and impressive, other times (like this) it just involves a lot of bright shiny pixels that fly every which way until the filmmaker’s budget is used up.
The lesson to learn, I think, is that hubris kills… often at an appropriately-delayed climactic plot point. Here in the real world, of course, we tend not to have impressive glorious pixely deaths, which just leaves the problem of supreme overconfidence.
In I.T. Security, this sort of thinking often manifests itself as a general feeling of invulnerability against attack. This can be due to an existing investment giving a greater feeling of security than actual security. It can be due to a belief of general supremacy that is undeserved. Most often, though, it is due to a fundamental misunderstanding of the enemy.
Just as Lord Voldemort couldn’t conceive of a bunch of school kids as a threat, and Oedipus allowed himself to think that he had outwitted fate (never, never wise), if you ignore I.T. threats, you render yourself vulnerable to them and, through them, invite your inevitable comeuppance. If you accept your business in all it’s flaws, you’ll know where to protect yourself. If you do not, you may well go out in a blaze of shiny glory that is just as logically inexplicable as Dracula’s shape-shifting powers in this horrible movie.
Security Lessons from Nature –
- At February 09, 2010
- By Josh More
- In Natural History
- 0
The Blue Glaucus, also known as the sea swallow, blue sea slug and blue ocean slug (’cause one name just isn’t cool enough for this sucker) is, as Wikipedia says, a pelagic aeolid nudibranch, a marine opisthobranch gastropod mollusk in the family Glaucidae. Which is fancy sciency way to say it’s a slug that lives in the ocean. (If you like to geek out on sciency stuff (like me), read this, and this and this.)
What makes this little critter particularly interesting is that it eats Portuguese Man o’ Wars (should that be “Men o’ War”?). Not only is it immune to the venom, but it also has the ability to absorb the stinging cells (sciency term: nematocyst (aka cnidocyte, ’cause they’re cool too)). It can then concentrate the cells of all the Portuguese Mens o’ Wars it eats and thereby pack a stronger wallop than the original predator.
Business-wise, our friend Glaucy basically performs a hostile takeover, absorbs the general features of the acquisee (proteins) and concentrates that which make them unique (nematocysts/cnidocytes). The lesson here, I think, is to look at what makes others unique and not necessarily one what you have in common. That’s not to say that commonality isn’t important… no acquisition is going to work out if you don’t share common proteins. However, a strategic acquisition isn’t going to be massively successful unless you can take advantage of and preserve the uniqueness.
The same holds true of employees. If we hire employees, it is presumably because they have skills that set them above the rest. (After all, everything else can be automated these days.) Does it really make sense to push them all towards the same lowest denominator? Wouldn’t it make more sense to give each the tools they need (both technical and cultural) to maximize their success? By doing such, you have effectively turned them into little stingers that can pack quite a punch. Then, the trick would be to set them up in teams, so their punch can be concentrated.
Of course, the other lesson to learn from Glaucy is that it’s not just a mass of stinging cells. In order to be a successful organism, it must still move around, hunt and eat. Thus, priority one is successful operation (not uniformity), and priority two is concentration of attack/defense. I often find myself falling into the trap of forgetting about operations and trying to promote uniform environments and tool consolidation in the name of security. After all, that’s best practice right?
Wrong.
Best practice is protecting the business. That means making the business as successful as possible. I’m afraid that we security practitioners often mistake the process for the result. Uniformity is a tool to promote control and control is a tool to promote security. However, as soon as the costs of uniformity and control get in the way of the success of the business, they harm security instead of benefiting it.