Security Absurdity

File this under the "blogging about blogging" category:

A recent Slashdot article turned me on to the Security Absurdity blog, highlighting, as the author puts it, "The Complete, Unquestionable, and Total Failure of Information Security." While not typically a great source for finding nuggets of highly-valuable InfoSec news, the old geek standby comes through once again.

In essence, this is a series of editorials about how information has, as a profession, been a miserable failure. Looking back at my posts, I suppose the author of Security Absurdity managed to articulate the heart of a lot of my, and the community's, complaints all along. Pity the user of a computer, nowadays.

However, I want to make perfectly clear my view that the Information Security community is not the one responsible for these problems. The root cause, by in large, is in the design and implementation of software: Software producers have created this mess of a situation that we in the InfoSec community are trying so hard to fix. They failed to build reliable, secure products and educate the users upon purchase of the products' proper use, period.

Moving on to our role, I agree with the author: we have also failed. We have failed to properly articulate the universe of problems created by bad software or software implementation, and furthermore, we have failed to educate those who should need to know, and build technological protections for those who shouldn't have to worry about it. We've taken too narrow a focus, setting our sights on specific problems and dedicated huge amounts of resources designing fantastic solutions, while turning a blind eye to the bigger problem.
Case in point: firewalls.
Problem solved: applying principle of least privilege to network-based, inter-computer communication.
Bigger problem narrowly addressed: Principle of least privilege.
Illusion: bigger problem nearly solved by narrow solution.

Security product vendors share as much of the blame as we analysts do: overstating the effectiveness of their products, while helpful to their bottom line, hurts the industry in a bad way. People unfamiliar with the scope of information security challenges believe that their purchased solution to solve a narrow set of problems is a silver bullet - or something near to it. These individuals shouldn't have to worry about the gory details of security to browse the web. After all, my DVD player plays DVD's, why should my computer be any different?

I don't have the solutions, but clear and concise communication from the InfoSec community to the rest of the computer-using world would be a really great start. Bravo to the SA blogger(s). Their commentary is long overdue, and the community would do well in heeding some advice therein.


Malware trend worth watching

Malware that can detect VM or sandboxed environments and react appropriately is not a new concept. However, seeing it in the wild with any sort of frequency is big news. In a little-reported SANS ISC update, Lenny Zeltser comments "3 out of 12 malware specimens recently captured in our honeypot refused to run in VMware."

This is a trend analysts knew was going to come around eventually. While the tactic's employment by authors is still in its infancy, this represents a major development: every malware analyst uses VMWare at some point in their analysis. It appears the "bad guys" figured out how to get another leg up in the constant arms race we engage in. This will be yet another aspect of the back-and-forth between authors and analysts that has been ongoing for years. Someone will find a way to beat the VMWare detection, then better detection will be developed, and so-on. However, this is one of the biggest leaps in anti-analysis from the black-hats since the emergence of executable packing. Better keep an eye on this one, folks.


InfoSec Laws, Pt. 1, and 2007 predictions

Newton's Second Law applied to IT: An administrator at rest tends to stay at rest, unless acted upon by a force.
How many times have we had to pester system or network administrators to do something involving security? How many times do we have to keep asking them to do the same thing? Unfortunately, many of those outside of the security community tend to put all other priorities and notions above even the most immediate security needs. I've even seen this in the midst of a compromise or crisis. While this situation has certainly has improved in the past 10 years, it has a long way to go. In that time, I've been trying to find a way to simply imply all of these problems, and I think I have finally found the answer in Newton. Thanks, Isaac!

The Jesus Principle of Intrusions: Seek, and ye shall find.
The past 8 months have been a watershed for me professionally, insofar as Incident Response is concerned. Through all of the digital trauma witnessed, most of which I cannot discuss here, I have come to conclude that the only reason any security analyst is not working on IR at any given time is simply because he or she has not found the security breach, not because there are no intrusions happening on the network. For a brief period of time, perhaps in 2004, the good guys had the advantage - finally. That has been marked ever since with a dramatic reversal. Our adversaries are far more skilled than in the late 90's and 2000's when the world first began to sincerely appreciate the problems of poor information security. Fortunately, we are too, but I feel the gap is just as large, if not bigger. They have new tools. We have the same old tools, in new, shiny packaging and perhaps an easier GUI. The result has been the constant compromise, to one degree or another, for a variety of reasons, of nearly every network of any significant size.

As 2007 rapidly approaches, I feel next year we as a society will begin to feel the repercussions of the security problems facing IT in a very different and much more serious way: in terms of national security of industrialized countries, the financial stability of big companies suffering from widespread, difficult-to-identify compromises, and measurable economic impact stemming from this and the large number of identity thefts happening recently. We've already seen the beginnings of this - media reports of foreign nation-states targeting military and contractor computer networks, Choicepoint facing major problems as the result of its breach, and the recent revelation that 50 million US citizens have had their identities stolen. I feel a failure to properly address this as a society (or the industry's failure to effectively warn of it) will lead to serious consequences in 2007. Perhaps by the end of the year, after enough problems have surfaced, we will begin to debate reform and change perceptions. I think 2007 is the year to turn this corner, but only because of the large problems we will face that have long been predicted by security pundits.

As much as I hate to be a doom-sayer, my eyes were opened in 2006 to many of these problems simmering just below the surface. In a silver lining moment, I will say this: The worst that can happen is that we as a country continue to turn a blind eye to economic and national security problems related to Information Security, allowing them to undermine our economic well-being and defense posture. A watershed moment is just what we need, but it will be a painful path to walk when it comes.


IE7 and security: Don't count on it

As if to reinforce all of the beliefs of security analysts and pundits regarding Microsoft's true commitment to Trustworthy Computing, Secunia is reporting on an "Arbitrary Content Disclosure Vulnerability" affecting IE6 and, you guessed it, IE7. The fact that this was found less than 24 hours after IE7 was released is all the commentary that is needed.

It all leaves me wondering: was it spending hundreds of millions of dollars dealing with EU and US antitrust actions, or the mudslide-like erosion of trust of its customers the worse of the two outcomes of Microsoft tying IE to the Windows operating system, and was it
really that important to eliminate Netscape as a competitor?


2007 Department of Defense Cybercrime Convention Preview

A few months ago, a coworker and I submitted a topic for presentation at the 2007 DoD Cybercrime Convention. We were happy to learn a few weeks ago that it has been accepted. If you haven't been, or aren't familiar with the conference, I'll give you a brief overview:

The DC3 is a technology, technique, and information sharing conference specifically for the US Department of Defense and law enforcement officials (LEO). Few outside of that community are privileged to attend; even as a knowledgeable SME of a large contractor, I was lucky to have been able to go last year. The goal is to keep costs down so that our civil service employees can afford to attend, and the vendor-sponsored gimmicks are generally kept to a minimum. Last year's conference rated as a "pretty good," on my scale from "would rather have been auditing" to "first SANS experience." Others who attended and presented, like Taosecurity's Richard Bejtlich, also had some good things to say, after a well-justified rant about how poor Alan Paller's keynote was. Keynote speakers weren't so hot, and presentations ranged from thinly-veiled sales pitches that I walked out of, to incredible demonstrations by Dr. Memon (Fornet and Reassembly of Fragmented Files) and Kevin Mandia (Performing Malware Analysis). But the "good" made putting up with the "bad" worthwhile.

Our presentation is Wednesday morning, 1/24/2007. The lecture title is Advanced Attacks from the Front Line: How our Adversaries Threaten Mission Success (currently misspelled on the webpage). For a bit of insight, in case anyone reading this can attend, the abstract is as follows:

The US government and DoD do not constitute the entire front line defense of state secrets targeted by our nation's adversaries. The cleared contracting community, as designers and manufacturers of weapon systems, possesses sensitive information critical to mission success; information equally coveted by the same adversaries. This presentation will discuss the highly-skilled, highly-organized threats contractors face when defending this data, highlighted by two recent case studies. Evolving tactics and trends, their effectiveness against traditional defenses, and new techniques to counter them will be presented. Opportunities to face this threat as a joint government-contractor force abound, and will be articulated at the end of this discussion.


InfoSec humor

Most of the topics discussed in this blog are serious, scientific, or pretty heavy reading. I've decided it's time for a break. Watching the Colbert Report tonight on Comedy Central, I caught his bit on Information Security. Very funny, highly recommended watching.


McAfee & Symantec: Sleep in the bed you made

Microsoft has officially announced their long-anticipated consumer software suite, OneCare. They believe they're "creating a new category," offering firewall, anti-spyware, and anti-virus all in one package. But this is only because the traditional Anti-Virus vendors have let their industry dominance go to their respective heads.

In reality, what has happened is McAfee and Symantec have simultaneously created artificial categories of security problems, and let their consumers down in those respective areas. Microsoft has stepped up to fill in the gap. Ten years ago, there were only computer viruses. Now, just look at the over-genrefication of the threats facing consumers: viruses, worms, bots, spyware, phishing, spear phishing (my personal favorite in the "ridiculous" category)... Perhaps this was done to increase paranoia, or "awareness" as vendors like to say, about the threats facing consumers. Whatever the reason, it's confused consumers, and given the traditional AV vendors more areas in which they can fail.

If Symantec and McAfee would have addressed all malware threats as a whole, like consumers expected them to do, they would not be in the situation they're in now. I can't count the number of times I've heard hapless users say "but how could I have spyware, I've got my anti-virus up to date?" The implied assumption on the user's part should be accurate. But thanks initially to the complacency of the AV industry leaders, and later to their greed (expecting users to pay for malware protection based on category: spyware is a different product), ordinary computer users are in a world of hurt.

The solution? Microsoft. Oh, what a twisted world we live in, when a vendor can convince users to pay for poorly-designed & written programs and then again to protect against attacks they've made possible. Never mind the fact that users are now having to trust their security to the very same people who've made their security weak in the first place. But given their traditional protections have been letting them down for years, consumers have no other choice. Almost like an American presidential election, the security industry has left the majority of the world to decide between "bad" and "worse." It didn't have to be this way.


On civilian monitoring, technology, tools, and terrorism

I try to stay away from politically-charged topics in my posts, but many times politics and information security overlap, leaving me no choice. There has been a lot of press recently involving various activities the NSA has undertaken in the past few years. Since 9/11, the US has been willing to sacrifice personal privacy in the name of security; specifically, with increasingly broad monitoring techniques using modern technologies and tools. This has spawned a virtual arms race between privacy advocates and law enforcement, with more advanced monitoring leading to more advanced protection mechanisms, and vice versa.

One of the tools developed by privacy advocates, with the help of the EFF, is The Onion Router, or TOR. At a very high level, this software attaches your computer to a network of other active TOR clients and routes network traffic randomly through these nodes, obfuscating the true source of the activity. While the implementation isn't perfect, it's a good way to provide one layer of obfuscation to requests made from one's computer. Recently, TOR was identified by a three-letter government agency as a potential threat; a tool that could be used for malicious activity, possibly by terrorists. The distribution of this document is restricted, so I am unable to reference it here.

Does anyone else find it ironic that tools being developed to protect individuals' rights in response to draconian monitoring policies are being identified as terrorist threats by the governments instituting such policies? It seems as though such policies are providing ammunition to the threats they are intended to counter. The more governments infringe on the privacy of ordinary citizens, the more prevalent and complex tools that have dual use like TOR will become, aiding terrorists and privacy advocates alike. I fear that this erosion of privacy and and misplaced trust in the tradeoffs between privacy and security will leave us with nothing to show in terms of national security. Our government needs to accurately identify the threat and focus its resources there, rather than on the wholesale collection of data.

Bruce Schneier, who was interviewed by CNN when the USAToday story broke, has a great opinion article on this topic as well. Note that it was written before the recent article that I mention above.


Address space randomization

First, on the subject of administrivia: it's been awhile since this blog has been updated. It's been a busy few months, and I've managed to draft a number of entries, so expect a barrage of updates in the next few weeks.

I've recently completed a paper discussing an effective implementation of address-space randomization. In short, randomizing the location of critical objects in memory has been proposed as a means to counter arbitrary code execution. The PaX and GRSecurity groups have implemented this in the form of a Linux kernel patch, along with a number of other protections. This has been criticized as ineffective by Shacham, et al., amongst others. My solution proposes a simple watcher process that addresses the shortcomings brought forward by this paper. The abstract is pasted below:

The true protection offered by randomization of the memory address space has been widely debated, most notably by Shacham, et al[1]. The limited entropy afforded by memory addresses of 32-bit architectures, specifically, allows for brute-force discovery of the randomized locations of critical system objects. In this paper, it is shown that a watcher process can successfully stymie attempts to remotely discover randomized memory address offsets. In this implementation, address-space randomization becomes an effective protection measure against arbitrary code execution.


Post follow-up: PC-to-Mobile Virus Found

Back in November, I wrote about the potential for malware jumping between computers and our increasingly-complex handheld devices. It appears that the first PC-to-mobile virus has been developed and submitted to MARA (Mobile Antivirus Researchers Association) as a proof-of-concept. The threat is no longer theoretical, it is now practical. While this particular threat attacks via Microsoft ActiveSync, users and developers alike should begin thinking about other attack vectors such as Bluetooth and begin exercising restraint when using these technologies, being mindful of the principle of least privilege.


Integer to IP conversion

In what may be the penultimate geek pissing contest, my co-workers and I recently had a competition to see who could generate a dotted-decimal IP address from an integer (a common challenge, for those of us working in the trenches in the networking and infosec world) in a script using the fewest number of commands possible. While I may not be proven in time to be the winner, I'm currently the leader with the following Perl gem:

for($val=$ARGV[0]; $val>0; $val=$val<<8) { printf("%d.",($val & 0xFF000000)>>24) ; }

I was too proud of this to not mention it; although I realize it reinforces any and all notions that I am, in fact, a huge nerd.

Update: I've been struggling with formatting on this entry. Trying pre tags, with the line chopped off in the middle seems to work.


Information Security and the FBI

I read the following in a recent installment of SANS NewsBites:
--FBI Recruiting IT Personnel
(29 December 2005)
The FBI has announced that it is seeking to hire Information Technology
(IT) professionals for "critical IT positions;" interviews for computer
scientists and engineers, IT specialists and IT project managers are
scheduled to begin in January.

[Editor's Note (Schultz): The real issue for the FBI is not so much
recruiting IT experts, but rather retaining them. Time-after-time
industry, which often pays far more than does the FBI can, hires the
"best and brightest" away from the FBI.]
The FBI has many challenges it is falling short in meeting, including a competitive salary structure. In my mind, the FBI's approach in hiring and personnel placement is at least as big of a problem as their inadequate salaries. Back in 2003, I was in the middle of the interview process for the FBI (round 2, I believe) when I was given the following information:
  1. I would not know where I would be geographically placed until after my 16 weeks of training in Quantico, VA
  2. I would not know my job duties until my first day on the job after my assignment was determined.
This meant that only after committing to a career at the FBI and agreeing to move my life to an indeterminate city would I be told what the rest of my career would hold. They could not tell me if I would be doing computer forensics, crime scene investigations, SWAT duties, or posing as 14-year-old Julie in an internet chat room. As much as I honestly wanted to work for the FBI, and do good work for my country, I couldn't risk sacrificing the years of experience and higher education I'd invested in Information Security to be a ballistics expert for the feds. Not that all of the jobs I've mentioned aren't important, but more important to me was my career. Until this gap is filled along with the salary problems, the FBI will continue to fall far short of the expertise it needs in the field.

In practice, these shortcomings are obvious. I have met a number of FBI special agents in my career in Information Security, and it's apparent that the people getting the security-related positions aren't adequately prepared for them. To a man (or woman), every agent I've worked with has been hardworking, intelligent, helpful, and willing to acknowledge where their training falls short. They really are talented individuals, but their knowledge has nearly always been inadequate for the type of important work they assume. It is an organizational problem in every regard, not an issue with the agents themselves.

The internal politics must also turn off more qualified analysts. In a recent meeting with two special agents representing my geographical area, I was informed that IP (intellectual property) issues were prioritized higher than issues like child pornography, fraud, and identity theft. While I have my own theories on why this is the case (it involves lobbyists from certain industries), the point is that it must be difficult to work under conditions where the country's political climate dictates your work priorities. I have great respect for individuals who can work and succeed in such an environment, but maintain that such an environment is just one more turn-off to highly-qualified individuals who can work elsewhere without such distractions.

It's important for the security of our country and its citizens that these issues be addressed by the FBI. Change is already afoot in this agency, let's hope it picks up steam and is implemented with speed uncharacteristic of the federal government.