[SecurityRatty] tag: draw

The Economics of Finding and Fixing Vulnerabilities in Distributed Systems

Tue, 18 Nov 2008 19:47:55 +0000

The Economics of Finding and Fixing Vulnerabilities in Distributed Systems

Quality of Protection Keynote

Alexandria, VA

October 27. 2008

Gunnar Peterson

Managing Principal, Arctec Group

Blog: http://1raindrop.typepad.com

When Andy Ozment asked me over the summer to do this talk at QoP, I knew back in August that the topic I wanted to address was security and economics. So to that end I would like to start by thanking all of our friends on Wall Street and here in Washington DC for providing such a rich tapestry of recent events that I can speak to.

Like many people in this industry, my focus on security was fundamentally altered by Dan Geer's speech "Risk Management is Where the Money Is"[1], there are not many people who can call a ten year shot in the technology business, but Dan Geer did. The talk revolutionized the security industry. Since that speech, the security market, the vendors, consultants, and everyone else has realized that security is really about risk management.

Of course, saying that you are managing risk and actually managing risk are two different things. Warren Buffett started off his 2007 shareholder letter [2] talking about financial institutions' ability to deal with the subprime mess in the housing market saying, "You don't know who is swimming naked until the tide goes out." In our world, we don't know whose systems are running naked, with no controls, until they are attacked. Of course, by then it is too late.

So the security industry understands enough about risk management that the language of risk has permeated almost every product, presentation, and security project for the last ten years. However, a friend of mine who works at a bank recently attended a workshop on security metrics, and came away with the following observation - "All these people are talking about risk, but they don't have any assets." You can't do risk management if you don't know your assets.

Risk management requires that you know your assets, that on some level you understand the vulnerabilities surrounding your assets, the threats against those, and efficacy of the countermeasures you would like to use to separate the threat from the asset. But it starts with assets. Unfortunately, in the digital world these turn out to be devilishly hard to identify and value.

Recent events have taught us again, that in the financial world, Warren Buffett has few peers as a risk manager. I would like to take the first two parts of this talk looking at his career as a way to understand risk management and what we can infer for our digital assets.

Warren Buffett's evolution as an investor can be broken up into two parts. He began his career very much influenced by Ben Graham, who sought to buy "cheap stocks", comparing the price of the stock to value of the company's assets, and placing many, diversified bets on companies whose share price was below the total assets. Note that the businesses may have been of unremarkable quality, but when the price was right Graham would buy in, wait for it to rise and then sell. This was the dawn of value investing.

Buffett's later career departed from Graham's strict, statistical measures, where he sought to buy into companies that were selling at a fair price, but were also high quality businesses. We will examine high quality in Part 2 of this talk, but first we go to Part 1 which is asset value.

Why does a talk on finding and fixing vulnerabilities start with valuing assets? The reason is that vulnerabilities are everywhere, we are literally marinating in them. Interesting vulnerabilities are attached to high value assets. In a world that quite literally presents us with too much information, we need screens to sift out what is worth paying attention to. You can run your vulnerability assessment tool of choice on your system, and come back with hundreds or thousands of vulnerabilities, but which ones should you pay attention to and act on? The first part of answering this question is asset value.

When Warren Buffett was 19 years old studying at the University of Nebraska, he read Ben Graham's book "The Intelligent Investor", Buffett said he thought it was the best book on investing he has ever read and still feels that way today. In the Intelligent Investor Graham lays out the framework of value investing. Specifically, Graham talks about three concepts - Mr. Market, a stock is a piece of a business, and Margin of Safety.

Mr. Market is a fictional, teaching device invented by Graham. You imagine that you have a somewhat manic depressive business partner called Mr. Market. Every day, Mr. Market comes into the office and offers you quotes on companies, some days he is in a good mood and the prices are high, other days he is gloomy and prices are low. The market is a quote machine, for quoting prices, not a value assessment machine. Your job is to wait for the right price, and you are free to take as many passes and be as patient as you would like, Mr. Market will just show up the next day and throw out a new price.

Graham used Mr. Market to teach us the separation between a price of a stock, and the value of a company. The second big concept from Intelligent Investor is that buying a stock is buying a small piece of the underlying business. You are not buying a roulette chip, or a number that fluctuates in the newspaper every day, rather you are buying a piece of the company's existing and future cash flow. What the stock market says General Electric is worth yesterday, today or tomorrow is separate from GE's actual ability to generate cash flow.

The last big concept in "The Intelligent Investor" and the one seemingly most applicable to information security is the Margin of Safety. Graham's margin of safety involved calculating the intrinsic value of a business and then buying stock where the market cap of a company is less than its intrinsic value. So if a company has $100 million in assets and a market capitalization of $75 million, then an investor would get a 25% margin of safety. Ideally, Graham wanted to buy stocks that were selling for one half of their book value, i.e. with a 50% margin of safety. Graham said that buying stocks without a margin of safety, above their book value, speculation, not investing.

So price is readily available, but how do we calculate intrinsic value so that we can ascertain the margin of safety? Graham used quantitative statistical measures, relying heavily on the company's book value, like its hard assets. What would it take for a competitor to reproduce the company's assets - its factories, distribution system, and so on. The difference between the book value of the assets and market cap is the margin of safety.

What can we learn in information security from this quantitative approach? Where price and value are readily ascertainable we should build countermeasures and eliminate on vulnerabilities that give our assets a wide margin of safety. Since budgets are not unlimited we should prefer vulnerabilities that are cheap to find, cheap to fix.

First to the asset question, information security budgets like all IT budgets are crufty, they are not a reflection of today's top issues and priorities so much as an accumulating snowball of decisions, legacy contracts, and solution attempts to yesteryear's problems. Today the normal Information Security budget is just a legacy artifact from bygone years when the network was the purported greatest vulnerability. If you were around in 1995, you remember the great gnashing of gears as the enterprises opened up their networks, connected their back ends to the Web and began to transact business in the giant virtual space.

The security people huffed and puffed that it was dangerous but there was simply too much money to be made, so businesses went ahead. The security people would not go down without a fight and insisted on countermeasures. They got two - the network firewall and SSL. The firewall was used to separate the average Fortune 500s network of hundreds of thousands of machines, employees, consultants, and partners from the web at large. SSL was used to protect the network channel between the web server and the client browser. so the network firewall separated the network segments, and SSL in effect encrypted the last mile of many million complex transactions and computations.

In 1995, this seemed like a good security architecture. When we built out these security architectures, the eCommerce market was derided as a toy. Amazon famously lost money for years - losing a little on every transaction but making it up in volume. When the market is nascent, a quaint security architecture offers cost effective protection. But what about 2008? Those cute little eCommerce buggers have grown they even make profits now - market caps measured in the tens of billions, accumulating large cash hordes, no debt, and the largest ones are in better financial shape than the financial services players that kicked sand in their face in the dotcom era.

And its not just eCommerce, the "real" economy Fortune 500 types are all connected as well. Directly and indirectly the Web is seeping into all businesses. Major changes from when the security architecture of the web was built out. But has the security architecture changed to reflect these new business realities? Not a bit of it!

We can use the book value of the IT budget investments and the book value of the Information Security investments to see what kind of Margins of Safety Information Security groups are engineering.

Let's look at some market data, Gary McGraw reviewed the numbers [2] in software security for 2007, breaking down software security sectors like tools and services. Here is a summary of his findings on software security tools:

"One of the most important developments in the software security market can be seen in the tools space which, combined, almost doubled to $150-180 million. Top of list are two major acquisitions that closed in 2007: Watchfire's purchase by IBM (somewhere in the range of $120-150 million on 2006 revenue of $26 million) and SPI Dynamics's purchase by HP (for around $100 million on 2006 revenue of $21.2 million).

...

The black box space was flat in 2007, with IBM/Watchfire checking in at $24.1 million and HP/SPI Dynamics earning $22.3 million. Smaller companies in the space, including Cenzic, Codenomicon, WhiteHat and the like had combined revenues around $12.5 million (a growth of 25%, though Cenzic grew 16% and WhiteHat 52%). Most of the growth "hiccup" in the black box market can be attributed to the serious challenges posed by any acquisition. So far 2008 looks to be back on track from a growth perspective in the black box testing space. The global reach that IBM and HP offer are already making a big difference.

On a more positive note, static analysis tools for code review grew at a healthy clip in 2007 into a $91.9 million dollar market. Fortify was up 83% to $29.2 million. Klocwork grew over 60% to $26 million. Coverity grew over 50% to $27.2 million. Ounce Labs tripled their revenue to $9.5 million."

These are very nice growth numbers, what company doesn't want 83% growth? However, the let's look at the total picture and compare the software security countermeasures against other security mechanisms. Gary McGraw's estimate shows the software security space coming in at $150 Million total, yet we see a company like Checkpoint that won the network security war in 1995 with earnings of around $900 Million! One single network security vendor is 6 times bigger than the entire software security space, in what alternate universe does this make sense?

This is where we begin to see that decisions in the People's Republic of Information Security have no real risk management thinking, they truly are swimming naked and hoping the tide doesn't go out.

Let's look at network assets. Obviously Cisco is the biggest, they earned $39.5 Billion last year. Pretty stellar. So spending $900 Million (Checkpoint) to defined $39.5 Billion seems like a pretty good deal.

Except, let's compare software security spending - last year Microsoft earned $60 Billion, SAP $16 billion, and Oracle $22 Billion. So that is about $98 Billion in just three vendors and you are going to "defend" that with allocating $150 Million worth of software security tools?

On the network side we are buying $900 million of security countermeasures (Checkpoint firewalls) to protect $39.5 billion worth of Cisco gear, about 2.3% of the network investment goes to security.

On the software side, we are buying $150 million of security countermeasures (like static analysis and black box scanners) to protect $98 billion of software (you know the stuff that runs the whole business), roughly coming to about 0.2% of the software budget goes to security.

This is very disturbing. From a prioritization standpoint The People's Republic of Information Security is misaligned by an order of magnitude at least. Next time you read about a data breach, or see an auditor's report with thousands of findings you won't have to wonder how it happened. It happened because Information Security doesn't have its eye on the ball, it invests in network security not because those controls have greater efficacy (the whole point of networks is they are dumb), no, they invest in network firewalls because they bought a bunch in 1995, some more in 1998, and heck they just kept buying them, the Checkpoint rep kept showing up and taking CISOs out to play golf, contracts got renewed, and poof - there goes the security budget.

Consider that software security tools could grow 50% a year for five years and still be half of where Checkpoint is today.

The optimistic way of looking at all this data is that there is major room for growth for software security, if you take network security as a target for a mature industry and assume that 2.3% is a reasonable margin of safety, then the software security space should evolve to around 2% of the software space meaning that it should evolve into a $2 billion space around fifteen times larger than it is today. Unprotected assets will either be protected or will cease to be assets, VCs get your check books ready.

My friend Brian Chess has a nice way of looking at this he says 2007 was the turning point - "the first year there was a bigger market for products that help you get code right than there was for products that help you demonstrate a problem exists."

Now I am not suggesting that Information Security budgets have to be aligned with IT budget one for one, but I do think that looking at the overall IT budget is the starting point. If Information Security has a more cost effective security mechanism they should deploy it, but the starting point should be aligned to the business. Businesses spend most of their money on software, and there are very good reasons - competitive advantage, increased revenues and lower costs. Information Security spends most of its money on network security, and there is no good reason why, except that it was a seemingly good idea in 1995. You really don't have to go beyond the book value of IT investment as a whole versus Information Security to see a stunning disparity. Information Security's job is to deliver a Margin of Safety to the business, but they are not.

To deliver a real Margin of Safety to the business, I propose the following based on a defense in depth mindset. Break the IT budget into the following categories:

- Network: all the resources invested in Cisco, network admins, etc.

- Host: all the resources invested in Unix, Windows, sys admins, etc.

- Applications: all the resources invested in developers, CRM, ERP, etc.

- Data: all the resources invested in databases, DBAs, etc.

Tally up each layer. If you are like most business you will probably find that you spend most on Applications, then Data, then Host, then Network.

Then do the same exercise for the Information Security budget:

- Network: all the resources invested in network firewalls, firewall admins, etc.

- Host: all the resources invested in Vulnerability management, patching, etc.

- Applications: all the resources invested in static analysis, black box scanning etc.

- Data: all the resources invested in database encryption, database monitoring, etc.

Again, tally each up layer. If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!

Its not just about alignment for alignment's sake, its about applying controls as a way to have a Margin of Safety properly placed so that when not if there is a failure on a higher value asset you are relatively better positioned to deal with it.

The pure statistical approach can only take us so far. Buffett said he would be a lot poorer if all he did was listen to Ben Graham. Book value is great to see the diametric opposition mentioned above, but it doesn't really tell us much about the efficacy of the security mechanisms.

What we do get out of this statistical approach is a screen. The asset value screen filters out subjective opinion and narrows the field for where we need to dig in to do the high value, time consuming analytical work.

The second part of Warren Buffett's career and the second part of this talk leave behind pure statistical measures. In Warren Buffett's case he was joined by a guy named Charlie Munger who talked him out of the pure Ben Graham approach. Charlie Munger has a saying - "a great business at a fair price beats a fair business at a great price." Where Graham was focused on price and margin of safety, Munger wants a fair price but also a high quality business. This lead to Warren Buffett's company Berkshire Hathaway investing in companies like Coca Cola, Wells Fargo, and American Express, where the prices were far from dirt cheap (as Graham would have wanted), but the long term returns were outstanding.

In our world of Information Security, we start by aligning our priorities with the business using the thumbnail defense in depth approach, but then we would like to invest in high quality, effective controls.

To get at the notion of control quality and effectiveness, I am going to start part 2 of this talk with a brief history of software. The first web software was just static HTML, but web software really got interesting when developers started creating dynamic websites using CGI an PERL.

Once websites were hooked up to company databases and were not just serving static content, the security people realized they needed a security architecture, and they sprung into action. What they came up was was model that divided the world into "good stuff" which was comprised of all their networks, systems, and data; and then there was everything else the "bad stuff" on the Internet. So job one of the early days Internet security architecture was to separate all your good stuff (i.e. your network) for the bad stuff (the Internet). To do this the security people used a sophisticated tool called Visio to draw a flaming brick wall on the network diagram, and this flaming brick wall was supposed to keep the good stuff and the bad stuff separate.

The security people also realized that the data and session tokens that they served up from their Web server would have to traverse the "bad" neighborhood called the Internet, so they added one more security mechanism to secure the last mile of the transaction - SSL between the browser and the Web server.

And this was the state of the art security architecture used circa 1995 to protect the earliest dynamic web applications.

What happened next was that the dotcom boom started to happen and businesses realized they could make some real money on the Web, the web apps started to get more sophisticated, more personalization, richer session experiences and so on. This led the Java people to create JSP and the Microsoft people to create ASP, and of course the PERL people to create even greasier PERL scripts, all of this in the effort to pooling resources and sessions on the Web server. The security people defended this new application programming model with network firewall and SSL.

Around 1998, developers began building out more distributed N tier or 3 tier applications that separated the business logic layer, the presentation layer and the data access layer. Among other things, your web application could seamlessly integrate data from multiple back ends systems. Let's say you have pricing data in Oracle, order data in SAP, and customer data in a Mainframe. You write separate data access objects, apply business logic in the middle tier and then you tie it all together in a friendly user interface. At this point the web applications are beginning to integrate across departments and geographic boundaries, huge critical chunks of the business are now connected to the web. How did the security people defend this part of the business? They applied the same 1995 security architecture - network firewall and SSL.

Around 1999-2000 timeframe businesses relied on web applications for major parts of the revenue, and the apps were built in different technologies like Java and Microsoft technologies, but the customer didn't care (still doesn't), the customer wanted (and still wants) data access and functionality. So to integrate the disparate technologies, SOAP and XML were deployed so that Microsoft could talk to Java and so Websphere could talk to Weblogic and so on. And, oh yes, SOAP and XML were used to connect B2B networks so partners in a supply chain and business process can exchange data and interoperate. SOAP and XML present a fundamentally new programming model based on a message document style integration, where XML is used to mesh together data and functionality across platforms. SOAP and XML have no security model by default for authentication, authorization, and confidentiality. How did the security people deal with this? They kept the security architecture the same as they had in 1995 - network firewalls and SSL.

The software world did not stop innovating in 2000 of course, in the last few years we have seen Web services and XML form the basis of baroque and powerful SOAs and simple REST applications. We have seen Web 2.0 come on the scene, and entirely new networked applications built on top of that.

What we have not seen, is a single meaningful change in security architecture in 13 years. Developers have evolved, businesses have increasingly bet their entire business models on the web and they have increased security budgets. But what has the security architecture as its deployed in the field got to show for all of this? More firewalls and more SSL connections.

Since Information Security has proven incapable of evolving, it is time to learn from a discipline that has mastered innovation - software development, and yes, I will step back in case the lightning bolts hits.

What does software development focus on these days? Well, let's look at Service Oriented Architecture (SOA), all hype aside I look at SOA as a set of technologies that delivers three things:

Virtualization: we want Beijing, Bangalore and Boston to communicate.

Interoperability: we want our .Net stuff to talk to our java stuff.

Reusability: how many order/claim/pricing/customer systems does one company need?

To build out their SOA, developers separated the application interface from its implementation. So you can host the interface in a variety of locations, but its separate from the application logic and data.

This is also a useful trick for putting services like SOAP through the firewall. SOAP was designed as a firewall friendly protocol. When SOAP first came out, Bruce Schneier said calling SOAP a firewall friendly protocol is like having a skull friendly bullet. Which is a great line and explains why his books fly off the shelves, it does not explain, why security people think an architecture designed in 1995 is the one we should be using today. Maybe the problem is not that the developers figured out how to go through the firewall to get the data their customers want, maybe the problem is that the firewall is the sum total of the security architecture, and it never adapted.

A big part of this problem is that we have left Newton's world behind and entered Einstein's universe. Mainframes are Newton’s world, we have THE computer, THE price, THE record and so on.

As Pat Helland explained [4,5], Mainframes are Newron's world, but Distributed computing is Einstein’s world. More specifically in the Einstein world of distributed computing - "Computers don’t make decisions, computers try to make decisions." Our computers don't really make a decision, they say you can buy this book from Amazon at this price, we have it in stock and will deliver on such and such a date. But the warehouse runs out, the pallet gets dropped in the warehouse, your boo is crushed, and the package is stolen off your front step. The computer confirmed your transaction, but the real world intervened.

So we don't have iron clad decisions, instead its all about Memories (last time I checked your book was in stock), Guesses (we should be able to ship on this date) and Apologies (sorry the forklift ran over your book)

Translating this into security, security mechanisms don’t make policy-based decisions, security mechanisms try to make policy-based decisions

Some examples of memories, guesses and apologies in security

Memories

Security Policies - for example Triple A policy

Triple A policies can memorize a map of subjects, objects, and roles. They can even replicate these memories and play them back at runtime to try to make policy enforcement decisions.

Guesses

Security Policy Enforcement Decision

Unfortunately, while the policy enforcement decisions can be based on memorized logic, the decision itself is still a guess, even in the case of Triple A. Any guesses why? Because, the authentication process itself is a guess. It happens to be a guess that you then bind to a principal so it looks very official once you bind your guess to a Kerberos ticket or SAML assertion, but it still a guess.

Apologies

Giant Global Bank is sorry your account was compromised!

And this leads to lots and lots of apologies by companies with poor access control models.

Some additional examples of information security memories, guesses and apologies.

Example Memories - Triple A Security Policies, Audit logs, User account information , Authorization Logic - concrete mapping Subject, Resource, Condition, Action

Example Guesses - Security Policy Enforcement Decision Points, Authentication Logic, Monitoring, detection, fraud response

Example Apologies - Identity Management tools - provisioning, deprovisioning, Reimburse customer for fraud losses, Compensating Transaction - Giant Global Bank is still sorry your account was compromised!

The point of this is that security memories, guesses and apologies utilize different processes, different people, and different capabilities to be effective.

What trends can we identify to lead us toward better qualitative analysis based on the best practices of virtualization, interoperability and reusability.

Virtualization

Finding Vulnerabilities in a Virtualized World is a problem because applications are more configured than coded. Runtime behavior and structure not apparent due to weak typing and inversion of control.

Result - finding bugs becomes harder. Action - use screens to target finding time and resources

Fixing Vulnerabilities in a Virtualized World is a problem because how do I locate the controls when interfaces run in Beijing, Bangalore and Boston?

Result - synchronization and/or replication of security policy is problematic. Action - decentralized policy enforcement points and policy decision points.

Interoperability

Finding interoperable vulnerabilities

XSS - Javascript is an equal opportunity offender - interoperability for developers and attackers alike.

Fixing interoperable vulnerabilities

App servers, ESBs, and services are the attacker’s red carpet to your enterprise, right into your book of business. Interoperable access control can be leveraged across the enterprise.

Use XML signature for authentication and integrity

…

Use XML encryption to protect sensitive data, don't pass sensitive data in the clear

My Credit Card Number

Encrypt the data

…

XNQ0a4legiie5mWFxO6CQkk2hhldYNnKroObue/LXS/VYtvaTgMbCujhGExDi+vlkU//Qc2/T6mx0WVTmBMT3z8rogha8jD+nS9Zr2Bc3CwoTh2lh8wL3D0DEu91iwJT9JByLGXvt7v9lyuxK0ooDOYEClsH974CPmTs3tBC+GQ=

To ensure that these controls are applied use automated tools like static analysis to scan for security mechanism use and coverage.

In terms of reusability findings and fixes consider two bug findings

Session management bug: session state is passed around to every component, service and user. Makes for many high priority findings in audit report, also the fix is required on virtually every program

Data validation bug: Data access object (DAO) has a SQL injection hole. One major high priority finding in report. DAO used by many business logic classes, one fix location serves many classes

To bring these factors together, I generally use a scorecard index [6], so you can measure such things as transport security, message security, threat protection and so on. The hard work in developing the index is developing a useful scale. A scale for XML tokens could use the following

0: no token

1: hashed token

2: hashed and signed token

3: hashed and signed token from standard authoritative source

An example scale for XML validation could use:

0: no validation

1: schema validation

2: schema validation against hardened schema

3: schema validation against standard, hardened schema

These indexed scales are used to show maturity across the factors in the scorecard. The first part of the talk described value, the value assessment is used to focus time and effort on high value assets. The value assessment can be determined quantitatively. There is hard analytical work to qualitatively determine the scorecard, index, and scales, the quantitative value assessment is used to screen out high value targets for these endeavors. The scoring index is used to track progress and improve quality over time. In the best case scenario, automated tools are used to perform the checks described in the index, and once security is automated just like software developers we may see security innovation make progress in years not decades.

Thank you for your time.

1 "Risk Management is where the Money Is" by Dan Geer, http://catless.ncl.ac.uk/Risks/20.06.html

2 Berkshire Hathaway 2007 Shareholder Letter by Warren Buffett, http://www.berkshirehathaway.com/letters/2007ltr.pdf

3 "Software [In]security: Software Security Demand Rising, by Gary McGraw

http://www.informit.com/articles/article.aspx?p=1237978

4 "SOA and Newton's Universe" by Pat Helland, http://blogs.msdn.com/pathelland/archive/2007/05/20/soa-and-newton-s-universe.aspx

5 "Memories, Guesses and Apologies" by Pat Helland, http://blogs.msdn.com/pathelland/archive/2007/05/15/memories-guesses-and-apologies.aspx

6 "Web Servicres Security Checklist" by Gunnar Peterson, http://arctecgroup.net/pdf/WebServicesSecurityChecklist.pdf

NBA Preview and Flashback

Tue, 28 Oct 2008 20:42:50 +0000

NBA starts today, it is always good to have something to look forward to once the weather gets cold in Minnie. I follow two teams. The Celtics who have a decent chance at repeating as champs. KG and Pierce should be back in full force, hopefully Ray Allen holds up. Perkins and Rondo may get a little better with experience. Biggest loss is Posey and we will miss him a lot more than people think. A real glue guy, defense, passing, rebounding, makes the smart plays and as a middleware guy myself I can relate. He will make CP3 even more dangerous.

The other team I follow is the Timberwolves. I think they will be pretty good this year. Al Jefferson is a beast down low. Only four players averaged 20 and 10 last year and he is one. He is the best big man in the post after Duncan. Getting Love and Miller for OJ Mayo was a smart deal by McHale. I think McCants can be a decent instant offense 6th man. Would be good to see Foye step up this year. Weakness looks to be defense

*Flashback*

I am biased but I think the 1980s was the most fun time to watch NBA. Everyone talks about Bird and Magic, but there were a lot of great players back then. Here is my all underrated 1980s team (no Celtics included due to conflict of interest and unobjectivity)

C: Moses Malone - beast of a big man, immovable force under the hoop with fantastic foot work for a big man. It is too bad he was traded by Portland because he and Bill Walton would have been the best big man combo of all time.

PF: Bobby Jones - great defender, good rebounder, good passer for a big man. Typical Tar Heel -fundamentally sound. He would be the James Posey of this team. (Runner up: Calvin Natt)

SF: Bernard King - what a renaissance. Watch his moves on youtube, he was not that tall like say Alex English but he could go in the lane and score on anybody. Jordan of course is an all around better player but I think King was a better scorer and that is saying something. The playoffs when he was putting up 50 and 60 a night he was a terrifying force.

SG: Andrew Toney - they called him the Boston strangler and as Celtics fan there was no one I was more afraid of. Its a real shame his career got cut short. (Runner up: George Gervin)

PG: Tiny Archibald - Ok, one Celtic, but he is seriously underrated - would go flying into the lane, disappear in the trees, Tiny would fly out the bottom of the pile, and the ball would pop out the top and drop in. Probably the last great player to come out of NYC. (Runner up: Mo Cheeks)

Sixth Man - World B. Free - no doubt about this one, he was great as a sixth man. And this guy was plain fun to watch. He would bomb it from 30 feet, when he was on he was a force. He would kick his leg into the defender when he was shooting a j to draw the foul. (Runner up: Michael Cooper)

Money Mules Syndicate Actively Recruiting Since 2002

Tue, 28 Oct 2008 05:44:21 +0000

Money mules have already been an inseparable part of the underground ecosystem. And while others try to hide their activities by outsourcing their hosting needs to botnet masters partitioning their botnets, the experienced ones apply a decent level of OPSEC (operational security) by establishing a trust based model based on recommendations in order to even consider letting you register for their services. Their geographical location not only reflects the average time it would take to take action against their activities and expose yet another extensive network of fraudulent operations, but also, has the potential to increase or decrease the commissions that the mules take based on the risk factor of getting caught.

There are several different types of money mules, those serving themselves, and those offering their services to others, in this particular case, we have a money mules syndicate that's been operating since 2002, and is only serving the high profile customers. What happens when such a money mule syndicate (naturally) starts vertically integrating by offering value-added services like credit card balance checking and date of birth lookups? Profits apparently increase, since the syndicate is actively recruiting and is currently looking for 20 to 30 mules -- their current staff is said to be approximately 100 people -- to cash out anything from bank account logins, Paypal accounts, to stolen credit card data. Here's a translated description of the service :

"Who we are?

- First place at (cyber crime community) top list of trusted service providers for 2008
- We serve the big guys only since 2002
- We never scam, in business since 2002 without a single scam complaint
- We look for you, you don't look for us
- We offer outstanding working conditions and high commissions

Who you should be?
- Dedicated person with experience in the field
- Have been in the business for at least 6 months
- Have been recommended by at least 1 person from (cybercrime community) and from (cybercrime community)
- You take 45% commission of the processed check, minimal amount is $3000
- You pay a membership fee

In the next two months we draw the command of 20-30 people who will most satisfy our requirements. For the selected team will be Paradise conditions:

- Instant payment (a few hours after delivered)
- Large numbers to drop service in the USA and the UK (30)
- Individual drop in the number of large islands
- 3-5 fresh weekly drop
- Round-the-clock support"

In case some of their customers get scammed -- appreciate the irony here as scammers compensate the scammers getting scammed by the scammer's outsourced personnel -- by some of their money mules, the service is offering compensation for the stolen goods/amount of money, clearly speaking for the revenues it is to prone to be generating. OPSEC (Operational Security) has been taking place across high-profile cybercrime communities during the last quarter, mostly in response to their increasing awareness that in the very same way they keep track of the major anti-fraud features implemented across their services of (ab)use, those implementing them could be monitoring them as well.

How can we co-operate to tackle phishing?

Mon, 27 Oct 2008 09:47:06 +0000

Richard Clayton and I recently presented evidence of the adverse impact of take-down companies not sharing phishing feeds. Many phishing websites are missed by the take-down company which has the contract for removal; unsurprisingly, these websites are not removed very fast. Consequently, more consumers’ identities are stolen.

In the paper, we propose a simple solution: take-down companies should share their raw, unverified feeds of phishing URLs with their competitors. Each company can examine the raw feed, pick out the websites impersonating their clients, and focus on removing these sites.

Since we presented our findings to the Anti-Phishing Working Group eCrime Researchers Summit, we have received considerable feedback from take-down companies. Take-down companies attending the APWG meeting understood that sharing would help speed up response times, but expressed reservations at sharing their feeds unless they were duly compensated. Eric Olsen of Cyveillance (another company offering take-down services) has written a comprehensive rebuttal of our recommendations. He argues that competition between take-down companies drives investment in efforts to detect more websites. Mandated sharing of phishing URL feeds, in his view, would undermine these detection efforts and cause take-down companies such as Cyveillance to exit the business.

I do have some sympathy for the objections raised by the take-down companies. As we state in the paper, free-riding (where one company relies on another to invest in detection so they don’t have to) is a concern for any sharing regime. Academic research studying other areas of information security (e.g., here and here), however, has shown that free-riding is unlikely to be so rampant as to drive all the best take-down companies out of offering service, as Mr. Olsen suggests.

While we can quibble over the extent of the threat from free free-riding, it should not detract from the conclusions we draw over the need for greater sharing. In our view, it would be unwise and irresponsible to accept the current status quo of keeping phishing URL feeds completely private. After all, competition without sharing has approximately doubled the lifetimes of phishing websites! The solution, then, is to devise a sharing mechanism that gives take-down companies the incentive to keep detecting more phishing URLs.

Here is our stab at devising a suitable sharing mechanism. We propose the creation of a members-only sharing club with compensation for net contributors paid for by net receivers. Take-down companies submit real-time copies of their entire feeds to a trusted third party (for the sake of argument, let’s assume that the APWG takes on this role). The APWG collates the individual feeds, marks the source of each submission (i.e., which take-down company) along with a timestamp. The APWG makes the amalgamated feed available immediately to all members. The members pick out phishing URLs impersonating their own clients, while ignoring the rest. Crucially, the expensive task of verifying phishing URLs and initiating take-down continues to be performed by the take-down company.

Periodically, the combined feed is audited to determine the reciprocity of contributions. Take-down companies provide a list of their clients to the auditor. The auditor then computes the number of phishing websites impersonating each take-down company’s clients that are missed by the takedown company but identified by others. The auditor also tallies the time difference for phishing websites that are identified by others first.

For example, suppose bank A1 has hired take-down company A to remove phishing sites on its behalf, and bank B1 has hired take-down company B. Suppose 500 phishing sites impersonate A1, and that A identifies 400 while B identifies an additional 100 sites missed by A. Likewise, suppose another 500 phishing sites impersonate bank B1, and that B identifies 300 while A identifies an additional 200 sites missed by B. B has received a net of 100 useful phishing sites more from A than B has given to A. Consequently, B should pay A a previously-agreed ‘finder’s fee’ for identifying these extra 100 websites.

The ‘finder’s fee’ provides additional incentive for take-down companies to invest in better phishing website detection. Designed properly, such a sharing club can overcome the potential for free-riding that companies such as Cyveillance fret about, while increasing sharing to shorten phishing website lifetimes.

Some subtleties must be mentioned, however. If the finder’s fee is big enough, some companies may be tempted to cheat to minimize their payout. For instance, underperforming take-down companies could claim to have independently discovered missing data from their feed shortly after collecting it from the shared feed. This can be mitigated by adding a credible threat of detection — inserting a few dubious fake phishing URLs that only appear in the shared feed. If the company claims to have ‘independently’ rediscovered these URLs, then they will be caught cheating. Another issue is that the auditing system does incur some overhead, which could be avoided if sharing was made unconditional.

To sum up, we recognize that many take-down companies will be reticent to share. However, we feel that sharing is too important to the goal of tackling phishing to brush aside because of a few inevitable complications. For the good of protecting consumers, the anti-phishing industry should learn to co-operate!

Outsourcing Infrastructure Management

Fri, 17 Oct 2008 12:30:15 +0000

Have you experienced this? You call [fill in the blank] tech support and reach “Bob Smith” whose accent doesn’t quite match the name. If you’re like me, you wonder two things: is his name really Bob Smith? And if it’s not, why is he lying?

Is it supposed to make me feel better about getting my problem fixed if I’m talking to someone in the Midwest versus someone in Bangalore? (Please no hate mail – I’m from the Midwest.) Honestly, I just want my computer to stop showing me a blue screen of death.

But apparently, I might be in the minority. According to the Black Book of Outsourcing (yes, outsourcing has a black book), reverse outsourcing is on the rise with “India’s leading service providers opening offices on Main Street, USA” to be closer to customers (mainly North American) and draw from the “local talent pools”.

The one area of outsourcing bucking this trend – infrastructure management. Co-writer Scott Wilson says that infrastructure management is largely automated, low touch and does not involve a lot of interaction.

Speaking as a vendor of infrastructure management tools, that’s a bunch of malarkey. Perhaps at a very low level this is true (i.e., is the device responding), but that’s just the tip of the iceberg when it comes to monitoring performance, availability and SLAs for today’s networks, systems and applications.

Certainly as vendors, we try to put as much automation as possible into our toolsets – helping our customers to simplify IT management wherever possible, enabling them to be proactive by setting up “intelligent” alarms and thresholds that warn of problems before they become showstoppers and reacting at a speed in this increasingly virtual world that simply is not possible for human manual interaction.

But infrastructure management doesn’t happen in a vacuum and you can bet when something goes wrong which affects some mission-critical app state-side, that there is a LOT of communication and interaction. And it takes a lot of work and setup to get to a level of automation where the alerting is proactive and intelligent and customized for each business.

One of the main points of tools like ours is to automate where possible in order to free up the valuable time of the sysadmins, network engineers, IT managers, etc to do the higher order work – which is how they’ll get to the next level of infrastructure management. Beyond “is it up”, infrastructure management should be providing answers to questions like: “is it always up”, “is it doing what I expected it to do” and “will it still be working as expected as my company grows”.

Debunking the Latest Fear Mongering News on WPA security

Mon, 13 Oct 2008 05:07:51 +0000

I had been meaning to write about recent exaggerated claims that WPA security had been hacked, but George Ou beat me to it. The buzz comes from Elcomsoft's Distributed Password Recovery. The innovation is that they use NVIDIA GPU acceleration for password cracking and can distribute the crack across a network to multiple clients and their NVIDIA GPUs. The GPU acceleration, they claim, "reduces password recovery time by a factor of 20." They also take the unfortunate approach, in a press release, of massive gains in cracking WPA and WPA2 protection, and that they can "...break Wi-Fi encryption up to 100 times faster than by using CPU only." 100 times! 2 orders of magnitude! That must be a lot, right? Well, probably not. This is where George Ou calls shenanigans. First, he points out that this only affects password protection systems that rely on password complexity, and that, as a general rule, the time involved is proportional to the complexity of the password. So if your password would normally take a million years to crack, it would take 10,000 years with this system. Draw your own conclusions. He also points out, just to get past the WPA buzzwordism, that this is a more general attack mechanism and could, for example, be used against certain VPN systems. With respect to WPA/WPA2 specifically, the attack is generally useful only against home users, because they are generally the ones using PSK (Private Shared Key) authentication. "It has zero affect enterprise mode WPA deployments which use TLS protected authentication such as PEAP or EAP-TLS. Internal LAN authentication schemes such as NTLM and LDAP are also significantly weakened. SSL authentication schemes are not vulnerable to this particular attack." If you are relying on password complexity for protection then his advice, and mine, is old news: first, if you're a business, perhaps you should be using a TLS-based authentication system. Also, you should make sure that your passwords are sufficiently complex and changed often enough. Ou has some specific advice about this in his column, but as he says, there are usually easier ways to get passwords (like offering people chocolate for them) than to spend years cracking them with thousands of dollars of computing power.

Data Mining for Terrorists Doesn't Work

Fri, 10 Oct 2008 02:35:43 +0000

According to a massive report from the National Research Council, data mining for terrorists doesn't work. Here's a good summary:

The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle's police chief; and Daryl Pregibon, a research scientist at Google.
They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities).

But the authors conclude the type of data mining that government bureaucrats would like to do--perhaps inspired by watching too many episodes of the Fox series 24--can't work. "If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so."

A summary of the recommendations:

U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter.
Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase.

To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data... At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework.

Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to "mine the miners and track the trackers."

Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation.

The U.S. government should periodically review the nation's laws, policies, and procedures that protect individuals' private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism.

Here are more news articles on the report. I explained why data mining wouldn't find terrorists back in 2005.

Experiences Threat Modeling At Microsoft

Wed, 08 Oct 2008 14:12:00 +0000

Adam Shostack here. Last weekend, I was at a Security Modeling Workshop, where I presented a paper on “Experiences Threat Modeling at Microsoft,” which readers of this blog might enjoy. So please, enjoy!

And while I’m at it, I wanted to draw attention to some of the other presentations that I thought were very interesting, including one by Karine Peralta “Specifying Security Aspects in UML Models” and “Curriculum for Modelling Security: Experiences and Lessons Learned.”

The McAfee Secure Standard: Sort Of

Tue, 07 Oct 2008 19:47:00 +0000

I need your help.
I am in receipt of the McAfee Secure Standard, drafted to transparently describe the McAfee Secure service, as promised during my meeting with Joe Pierini and Kirk Lawrence of McAfee some weeks ago. I admit my attitude has soured since last I discussed it here, as the Standard is not yet ready for public release (I last said 2-3 weeks and that was five weeks ago), but bear with me. I can't publish exact quotes from the Standard, as I've promised not to, but let me give you insight on the upside, then the downside.

The upside includes all the transparency we'd hoped for. You'll read the McAfee Secure Standard and know exactly where they stand with regard as to what can be expected of the McAfee Secure Service. My discussions with Joe Pierini have been productive and respectful, he means well, and I believe he will try to drive the greater McAfee leadership to officially incorporate suggestions made in this blog.
I have even had the pleasure of reading a Researcher/Finder Policy that very succinctly describes what researchers can expect when they submit vulnerabilities found in McAfee Secure sites. That's all good stuff and to be applauded.

Now for the downside.

The McAfee Secure Standard will draw a clear distinction between "enterprise" customers and all the Ma & Pa websites who have so loved McAfee Secure / ScanAlert Hacker Safe for conversions.
The most glaring and painful distinction for me is this. While enterprise customers will have a clearly defined time line in which to remediate script injection vulnerabilities like XSS and open redirects, before losing their McAfee Secure badge, the Ma & Pa sites will have absolutely no requirement to fix their XSS issues. XSS vulnerabilities and the McAfee Secure badge will remain consistent on all those sites that care more about "convincing" their customers that they're secure with a McAfee Secure badge; a badge that, by its own pending standard, will contradict what we know to be truly secure.

My views are clear. I have made every effort to convince McAfee that this stance is counter intuitive to good web application security standards. I believe that, in their own way, they are listening. So here's your chance.
1) Is transparency enough?
2) Is holding only enterprise customers accountable acceptable?
3) Should ALL McAfee Secure customers be expected to fix their vulnerabilities, even if on different timelines?
4) What else do you want McAfee to hear, in the form of constructive feedback only?
I will publish all well written, thoughtful comments here. Let's keep it positive and see if we can help convince McAfee that script injection vulnerabilities and McAfee Secure can't exist in the same physical space. Like matter and anti-matter. ;-)
The floor is yours...

del.icio.us | digg | Submit to Slashdot

Interop NY 2008: Wrap-up

Thu, 25 Sep 2008 16:48:01 +0000

This year was a strange year at Interop NY. While the financial industry in NY was crumbling around us, things were strangely normal at Interop. Despite entire departments being laid-off at Lehman and elsewhere, while the show was going on, the show itself seemed mostly unaffected. We even saw this with our annual survey - in 2007 18% of respondents were from the financial services industry, this year the sector respresented 19%.

Interop NY 2008 was up considerably in size from the show in 2007. According to Lenny Heymann, the GM of Interop, this is a trend that they expect to continue. My personal experience was that the size of the vendors was also up this year. I think there were so few startups that “Startup City” was pulled from the show completely. In any case, the show floor was full and there was plenty of attendee traffic to go around.

Definitely helping out from a traffic and draw perspective was the addition of the Web 2.0 Expo - Interop was co-located with both Mobile Business Expo and the Web 2.0 show. It seems like that buzzword still hasn’t lost most of its luster.

From the InteropNet perspective, the main feeling was one of being rushed. With the show only lasting two days, and the InteropNet team only having a couple of days of ramp up time, everything was compressed into a much shorter period than in Las Vegas. While this would normally be a challenge, it’s an even bigger challenge at the Javits where the InteropNet team was allowed to do almost nothing ourselves because of union rules. You’d be surprised how frustrated you can make a network guy who’s told that he has to stand there and watch the electrician plug things in, rather than just doing it himself. The only thing faster than the InteropNet team getting the Interop NY network up, was my pedicab ride to the InteropNet Booze Cruise.

In any case, everything came off without a hitch, and EM7 performed flawlessly catching a couple of power outages that last day and alerting everyone before the batteries on the UPSes had a chance to run down.

Over the next couple of weeks I’ll analyze the data from the show to see how many tickets were handled, amount of bandwidth consumed, etc and we’ll do a comparison to Interop Las Vegas.

We’re (both ScienceLogic and me personally) looking forward to Interop 2009.