[SecurityRatty] tag: column

Visible Ops Security, Phase 1

Wed, 19 Nov 2008 21:00:00 +0000

In my last column, I introduced the excellent booklet called "Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps," by Gene Kim, Paul Love and George Spafford. Phase 1 provides a chilling reminder of how badly information assurance implementation can go wrong.

MSDN Security Issue Articles

Thu, 13 Nov 2008 20:58:00 +0000

Bryan here. The SDL team is well represented in the annual security issue of MSDN magazine – we have three articles that might be interesting to you, given that you read the SDL Blog!

First up is a code review quiz, “Test Your Security IQ”. Put your C/C++/C# security skills to the challenge by reviewing ten tricky code snippets that Michael and I devised. As an added incentive, I’ll post public congratulations here in the SDL blog to the first person who reverses the insecure hash found somewhere in the exam (not to give too much of a hint).

Next up, we have “Agile SDL: Streamline Security Practices for Agile Development”. I’ve been talking about web application security issues in the SDL blog (and in the September issue of MSDN magazine, if you missed it). However, while it’s essential to make sure that web-specific issues are covered in the SDL, it’s equally important to make sure that web development teams – and other Agile development teams – can use the SDL effectively, and the classic, phased SDL approach is not always a good fit for these teams. This MSDN article is the first public look at the new SDL/Agile methodology that we’ve been working on for the last year. This process is currently in beta with some internal Microsoft product teams and online services. We’d love to get some external feedback on it before we release it to the entire company, so please send us your thoughts.

Finally, be sure to check out Michael’s Security Briefs column “Threat Models Improve Your Security Process”. Regular readers of this blog know how important threat modeling is to secure development. This article describes methods of using threat modeling not just to identify security vulnerabilities outright, but how to use it to make other SDL activities such as fuzzing and reducing attack surface more effective.

Three articles are more than enough for one team for one month! But be on the lookout for more articles from the usual SDL suspects in the near future. As always, keep watching this space for details.

MasterEncryptionKeys.XLS

Tue, 21 Oct 2008 11:54:43 +0000

My column from May on digital certificate management software mentioned Venafi, a company in that space. A Venafi blog yesterday (which quotes my column, so the cross-linking here is getting pretty aggressive) discusses a trip by Gregory Webb of Venafi to the Gartner Symposium/ITxpo. Webb asked around for what attendees used to manage certificates, and the answer was almost unanimous: a spreadsheet and some calendar reminders. You might say that it works, so who cares, but does it really work well? My impression is that it's not uncommon for these things to expire unnoticed. What happens if the employee who manages it leaves or (as one boss put it to me) "falls through a manhole"? You can bet something will go wrong.

Debunking the Latest Fear Mongering News on WPA security

Mon, 13 Oct 2008 05:07:51 +0000

I had been meaning to write about recent exaggerated claims that WPA security had been hacked, but George Ou beat me to it. The buzz comes from Elcomsoft's Distributed Password Recovery. The innovation is that they use NVIDIA GPU acceleration for password cracking and can distribute the crack across a network to multiple clients and their NVIDIA GPUs. The GPU acceleration, they claim, "reduces password recovery time by a factor of 20." They also take the unfortunate approach, in a press release, of massive gains in cracking WPA and WPA2 protection, and that they can "...break Wi-Fi encryption up to 100 times faster than by using CPU only." 100 times! 2 orders of magnitude! That must be a lot, right? Well, probably not. This is where George Ou calls shenanigans. First, he points out that this only affects password protection systems that rely on password complexity, and that, as a general rule, the time involved is proportional to the complexity of the password. So if your password would normally take a million years to crack, it would take 10,000 years with this system. Draw your own conclusions. He also points out, just to get past the WPA buzzwordism, that this is a more general attack mechanism and could, for example, be used against certain VPN systems. With respect to WPA/WPA2 specifically, the attack is generally useful only against home users, because they are generally the ones using PSK (Private Shared Key) authentication. "It has zero affect enterprise mode WPA deployments which use TLS protected authentication such as PEAP or EAP-TLS. Internal LAN authentication schemes such as NTLM and LDAP are also significantly weakened. SSL authentication schemes are not vulnerable to this particular attack." If you are relying on password complexity for protection then his advice, and mine, is old news: first, if you're a business, perhaps you should be using a TLS-based authentication system. Also, you should make sure that your passwords are sufficiently complex and changed often enough. Ou has some specific advice about this in his column, but as he says, there are usually easier ways to get passwords (like offering people chocolate for them) than to spend years cracking them with thousands of dollars of computing power.

Expanding Response: Deeper Analysis for Incident Handlers

Fri, 10 Oct 2008 04:38:00 +0000

To achieve my GCIH Gold, I recently completed a paper called Expanding Response: Deeper Analysis for Incident Handlers, now available in the SANS Reading Room. The premise was to further expand on the topics discussed in my Malware analysis tools post. This paper includes tools discussed at various times in my toolsmith column in the ISSA Journal, and includes details on Argus, HeX, NSM-Console, and NetworkMiner.

Abstract:
"The perspective embraced for this discussion is that of an analyst who is working a process to determine the exact nature of malicious software on his network. He is in receipt of the above mentioned .exe and .pcap files and seeks to further his understanding with the use of less typical tools. She begins the process with the network capture, and then takes a closer look at the binary to see what can be learned and what the impacts of an outbreak on her network might be."

del.icio.us | digg | Submit to Slashdot

Information Assurance Education: A Work In Progress

Wed, 08 Oct 2008 00:42:06 +0000

The recognition that we need improved computer security education has increased over the past several years. Recent cyberattacks in Georgia and Estonia exemplify the new threats faced by economies that rely on the Internet. Thus, more people see the need to protect cyberspace—which translates into improving computer security in all aspects of computer use—as crucial for everyone, not merely for those who work with technology. In this column, we reflect on emerging opportunities and challenges in instruction as well as the need for increasing the partnerships among industry, government, and academia to foster mutual understanding of challenges and joint participation in solutions.

Palin and politics: lots to talk about

Thu, 02 Oct 2008 20:00:00 +0000

Gibbs discusses reader feedback to last week's column about the break-in of Republican vice-presidential candidate Sarah Palin's e-mail account and the heady intersection of IT and politics.

Passgen tool from my book

Mon, 29 Sep 2008 16:42:29 +0000

Way back in 2005, Jesper Johannson and I wrote Protect Your Windows Network. It’s still available, and although its product set is now somewhat dated (Windows XP and Server 2003), much of the practical advice about security policies, social engineering, security dependencies, and how to think about security remains relevant. That’s because we strove to write something more lasting than a simple configuration guide.

On the CD-ROM accompanying the book we included a tool called Passgen. In the book, we recommended that you maintain separate passwords on every local administrator and service account in your enterprise. This is, of course, almost impossible to manage without something to automate it for you. That’s what Passgen does. The tool generates unique passwords based on known input (an identifier and passphrase you define), sets those passwords remotely, and allows you to retrieve them later.

For a while Jesper maintained a web site for the book, running on a server in his house. His ISP changed policies and made it impractical to continue running the site. But because the tool is still so useful, I’ve put a copy in my SkyDrive—look in the “Passgen” folder.

Also, note that I’ve put a new section in the right-side column, “Resources for you.” Here’s where I’ll keep links to bits and pieces that many of you will find relevant and interesting.

What does the financial meltdown mean for security?

Thu, 25 Sep 2008 20:00:00 +0000

At first, this was going to be a column about the PR machine's hyperbolic efforts to connect the state of IT and security with the current financial crisis. Indeed, some have shamelessly sent me story pitches that try to get some bang out of the Wall Street meltdown.

Dell System with Useless Memory

Sat, 20 Sep 2008 03:03:21 +0000

In my e-mail this morning was a flier from Costco. I have to go buy some stuff there this morning, so I read it and noticed a Dell desktop computer among the items. Note that the Costco links above probably have a short lifetime, so if you're reading this weeks after the posting date (9/20/2008), they won't work. What immediately struck me about the newsletter was that it said that the system had 4GB of RAM. As I discussed in my recent column on when Windows goes all 64-bit, in 32-bit versions of Windows at most 3.1GB to 3.5GB of RAM are usable, probably more like the 3.1 number. You need 64-bit Windows to use all of the memory. Was Costco selling a Win64 system? Nope, the ad says it has "Microsoft® Windows® Vista Home Premium 32-bit." Beware of this sort of thing. It's not a lot of wasted money, but it's still a waste. I suspect it will become more of an issue over time as vendors try, as they always do, to beef up computers and run up against this wall.