[SecurityRatty] tag: patrick

U.S. Olympic Committee Trying to Take Chicago2016.com Away from Grad Student

Fri, 19 Sep 2008 15:03:00 +0000

In 2004 graduate student Stephen Frayne Jr. bought the domain name Chicago2016.com. Now the U.S. Olympic committee and the Chicago group organizing an Olympic bid for that year want it from him. They have filed through arbitration processes to have the domain turned over. The committee is currently using chicago2016.org as its domain, but that's not good enough. "We certainly see Chicago2016.com as the logical default domain for our site, and we believe having someone else control it is misleading for people seeking information about Chicago's bid," said Patrick Sandusky, a spokesperson for Chicago 2016. The Chicago Tribune article on this story describes "Chicago 2016" as "a moniker protected by trademark." I did a trademark search and there are several with that string in it, none of which were filed before 2006. Frayne launched the site to be, he claims, a forum for public discussion of Chicago's bid. He also owns Tokyo2016, another city bidding for that Olympiad, and is also being pursued for that domain. My own opinion: There are no trademarks in "Chicago 2016" that the committee can reasonably claim ownership of. Obviously it just hasn't offered Frayne enough money for the domain yet. Hat tip to DomainNameNews.

IT Sec ProfessionalsWill Automated Security Tools Affect Your Job Security?

Wed, 03 Sep 2008 06:13:33 +0000

Hackers, security professionals and security tools are becoming both more sophisticated and more automated. With more demand for security experts, people are getting trained and coming in from many different backgrounds — like Patrick Foley over at Blog Info Sec, who said he worked as a longshoreman, journalist, and manager before being trained in tech. He has an interesting article today looking to the future as well — as security gets bigger, how many of our tools will become automated and will that leave security professionals with less job security?

I know that I am always looking for better, cheaper, and faster ways to do what I do now. As regulations like PCI become more prescriptive, as discovery and compliance tools get better, as organizations embed security more seamlessly in the business, and as security itself becomes part of more expansive and, theoretically, more valuable business roles, will security professionals need to reinvent themselves?…

Very few jobs in any large organization look like they did 20 years ago; some of security’s most traditional work may see big changes ahead. How do we prepare our colleagues and teams for those challenges and turn them into opportunities?

Read the whole article here.

A sneak peek at a Black Hat presentation

Wed, 30 Jul 2008 14:08:27 +0000

No, it is not the Dan K DNS presentation, sorry. Patrick McGregor, CEO of BitArmor Systems is presenting at Black Hat as well. As part of our promotion with the SBN and Black Hat I have made my blog available to Patrick to give us a sneak peek at his presentation. Patrick was nice enough to prepare the following:

Braving the Cold (Boot) – A Sneak Peek of My Presentation at Black Hat

by Patrick McGregor

Cold boot attacks aren’t theoretical academic exercises. Cold boot attacks are real. And they’re serious.

In the past few years, companies have poured hundreds of millions of dollars into full disk encryption technologies. Companies expect full disk encryption to reduce the risk of exposure of sensitive information such as intellectual property or customer data. Reality often deviates from what is expected, however. Researchers from Princeton shocked the industry earlier in 2008 when they released a research paper that showed that low-cost “Cold Boot” attacks could be used to defeat the security of most full disk encryption systems. They recently even published all the tools needed to do this at home!

Some have argued that Cold Boot attacks are not serious security threats. I disagree! First, an unskilled person can capitalize on the exploit using simple, automated steps and publicly available tools. In fact, Cold Boot attacks require nothing more than plugging a USB drive into a laptop. Second, the physical target of a Cold Boot attack, such as a laptop, is very easily obtainable (see the recent Ponemon report on laptops lost/stolen in airports – scary!). Third, although many laptops and desktops are stolen via random acts of theft, it is well known that some criminals profit from organized, calculated data theft. It is only a matter of time before we hear of a high-profile data breach that results from a simple Cold Boot attack.

I am excited to present at Black Hat several innovations for preventing Cold Boot attacks. In addition to summarizing how a Cold Boot attack works, I’ll describe four new software techniques for hardening full disk encryption against the attacks. The software technology was developed by myself, Tim Hollebeek, Alexander Volynkin, and Matt White. All of us work for BitArmor, an exciting security startup based in Pittsburgh. Here’s a sneak peek:

· Wash up: Wipe keys immediately before certain OS state transitions, such as before the computer shuts down or goes into hibernation mode – accessing the memory will yield nothing.

· Take advantage of BIOS memory smashing: By strategically placing keys in certain regions of memory, we can rely on the BIOS boot process to overwrite keys before any operating system can dump the contents of memory.

· Is it chilly in here?: Using built-in temperature sensors, we can lock down the system in reaction to temperature drops that may indicate a Cold Boot attack is in progress.

· Create a virtual enclave for keys: We can implement special cryptographic, OS and processor architecture techniques to provide robust protection for keys against the most aggressive cold boot attacks. By creating a “virtual secure enclave” for encryption keys in software, an attacker cannot extract critical keys from memory – even if the RAM is super-cooled.

Hope you can join us at Black Hat as we take an in-depth look at the future of full disk encryption technology.

Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings

Mon, 28 Jul 2008 23:29:54 +0000

It used to be a case where a botnet would be used for a single purpose, spamming, phishing, or malware spreading. At a later stage, the steady supply of malware infected allowed botnet masters more opportunities to "sacrifice" the clean IP reputation and engage in several malicious activities simultaneously - today's underground multitasking improving the monetization of what used to be commodity goods and services.

Today, a botnet will not only be sending out phishing emails, automatically SQL inject vulnerable sites across the web, but also, provide fast-flux infrastructure to money mule recruitment services, all of this for the sake of optimizing the efficiency provided by the botnet in general. This optimization makes it possible for a single botnet to be partitioned and access it it sold and resold so many times, that it would be hard to keep track of all the malicious activities it participates in. Cybercrime in between on multiple fronts using a single botnet is only starting to take place as concept.

That's the case with Stormy Wormy, according to IronPort whose "Researchers Link Storm Botnet to Illegal Pharmaceutical Sales" :

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."

Murky until now? I can barely see in the room due to all the smoke coming from the smoking guns of who's what, what's when, and who's done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first stages of their appearance online made it possible to establish links between several different malware groups and the "upstream hosting providers", until the botnet scaled enough making it harder to keep track of all of their activities.

The Storm Worm-ers themselves aren't sending out pharma spam, the customers to whom they've sold access to parts of Storm Worm are the ones sending the pharma spam. Here's a brief analysis published in May - "Storm Worm Hosting Pharmaceutical Scams". What's in it for the scammers? Income based on a revenue-sharing affiliate program, a pharmacy affiliate program has been around for several years :

"This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services"

What's coming out of Storm Worm's botnet isn't necessarily coming from the hardcore Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure new bots are added, what's coming out of Storm Worm is coming from those using the access they've purchased to a part of the botnet.

Related posts:
Storm Worm Hosting Pharmaceutical Scams
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

SSO Summit Day One Morning Session

Thu, 24 Jul 2008 09:35:02 +0000

I am at the SSO Summit, high in the Colorado mountains (9200 feet elevation to be exact), the I-70 West sign is one of my favorite road signs. Ping Identity has done a great job putting this together. It is the perfect size around 125 people. Most of the best conferences I have been to have been around 60-150 people. There are a *lot* of enterprises involved here.

John Haggard who has an extensive background in SSO and lately is at Passfaces kicked off the sessions with a SSO history talk. Going through a lot of mainframe centric SSO protocols from the 80s and 90s, I am no expert in these areas and it was fascinating to see the way things vacillated between strength and weakness of SSO protocols.

A couple of points from the presentation:

The history of SSO is a story of extreme complexities, compromises, vulnerabilities and unintended consequences.

SSO is a story of one simple objective - to spin off units of computation work to execute on behalf of an authenticated user without requiring the original user's password.

Phishing has always been completely avoidable

He went through the various incarnations of mainframe SSO from logon id through things like ACF2, VTAM Session managers, terminal emulators, multiplatform access to web access through facades. The implication he drew from this last step are well worth repeating: "Time to rethink everything." Problem is - of course, people don't rethink, they put MQ Series in front of the mainframe and hook a web app in front of that and go.

Finally, he connected some interesting dots to SAML and SOA security issues.

SSO without strong auth is and always will be simply nuts

SAML gets its right

His points around common weaknesses in integration in SOA and Web 2.0 technologies for companies that are *not* using SAML were excellent. Of course, I will go into some more details on this tomorrow.

Ping's CTO Patrick Harding took the stage and gave an overview of the next generation of SSO options from Kerberos to present and as is his wont demonstrated various real world strengths and weaknesses, quoted a Gartner analyst (shock!) saying OpenID is the hare and Cardspace is the tortoise. Nice.

Andrew Cameron from GM is speaking now on GM's experiences implementing SSO, and there are a lot of real world lessons learned in his presentation. Plus my favorite identity architecture, user has Kerberos, services speak SAML. very nice, very scalable. All in all, its my starting point for how to identity in an enterprise. He also spoke about a pet peeve of mine - how to globalize authorization. This is not a problem that vendors have historically attacked with relish. They are very happy to help you solve authentication, but they are perfectly happy to keep their authorization internal either for vendor lock in reasons and/or for sloppy authorization design. This will take a LIberty-esque consortium of enterprises to resolve.

So many conferences are dominated by vendors and consultants who conspire to what I call the "sacred church of things YOU should be doing." Instead this conference is bringing together a great mix of real world in the trenches practitioners who have problems to solve today, with rubber meets the road deployable solutions and an eye towards longer term strategy for SSO and identity.

For your hacking pleasure - Cold Boot utilities released!

Wed, 23 Jul 2008 09:32:00 +0000

Interesting news over the weekend. Looks like one of the original researchers from the Princeton Cold Boot attack work, Jacob Applebaum, published all the utilities they used to break full disk encryption products.

We, at BitArmor, have talked a bit about cold boot and how we protect against it. Our CEO Patrick and a few of our senior engineers will be presenting at Black Hat on techniques to prevent this attack - check out his perspective as well from his Princeton days.

Links List 7.3.08

Thu, 03 Jul 2008 11:51:53 +0000

A “new era for Microsoft” as Bill Gates leaves the company? Paula Rooney on Virtually Speaking says, “it seems fitting that Hyper-V shipped on the same day Bill Gates exited the Windows company.” Will Microsoft also ‘usher in’ open source now that the big man is gone?

Five years in the making, Hyper-V finally ships. Is Microsoft late to the game? Yes, but how much does that really matter? At the recent Gartner infrastructure management conference, an informal poll of the audience showed that something like a third of the room predicted they’d be using multiple virtualization platforms, including Hyper-V and the installed winner, VMware. But wait, Microsoft’s suite of virtualization management tools, System Center Virtual Machine Manager (SCVMM), is sill in beta. Stay tuned.

Accepting the Sun virtualization challenge, Microsoft group product manager, Patrick O’Rourke weighs in on how “Hyper-V can compete with the open source Xen-based alternatives and whether a Windows-only virtualization technology can hack it in today’s increasingly heterogeneous datacenters.” (I just like the title of the blog post…”Virtualization wars: The empire strikes back”)

GroundWork Open Source says (again) it is moving up and playing with the big guys. Here’s an interview with David Lily, founder and CEO. Hmm. What happened to CEO Ranga Rangachari? As far as I can tell, he disappeared somewhere between Nov 2007 and Jan 2008. No announcement that I could find… Wonder how things are going for GroundWork? Are they about to follow QLusters and drop the “Open Source” part of their name that they tacked on a couple years back?

ShareThis

Fun Reading on Logs and Log Management

Mon, 30 Jun 2008 12:09:00 +0000

I am amazed (no, AMAZED!) about how many people now write about logs; it is definitely not "the original logging evangelist" anymore :-) Here is a quick sample, useful for those struggling with logs (aka "everybody" :-))

A very fun read from Patrick Mueller (ex-Neohapsis now turned lawyer): "Facing The Monster: The Labors Of Log Management." I am happy that log management has been finally granted a monster status :-)
I am happy to see that one of the "five questions to ask before sending your data in the cloud" is "Will I have access to logging and auditing data?" This is indeed a big deal (well, it will be soon) and you will be hearing more about this. I call this "a case of log ransom," since you might need to pay the ransom to see what is "yours" - the logs
Again on leaving [some] logs behind. Remember, the point is not that "collecting all" is a good idea, it is that figuring what to pick is IMPOSSIBLE, while "collecting all" is simply very hard :-)
This is hot stuff: "Ten reasons you will be unhappy with your SIM solution" (no, I didn't write it :-), but this is mine)
Why HA for log management from our star engineer. Those thinking about the reliability of their logging systems should read it.
Fun info on web server log analysis for different purposes.
"Why Logs and Logging Matters - Part 1" and "Why Logs Matter - Part 2, A Letter" present really good intro logging for compliance and other purposes (even specifically saying "what you do with the logs that matters.")
"Smart Business Leaders Support Effective Log Management Practices and Necessary Resources" from Rebecca Herold is a nice basic piece, especially for those outside the circle of logging literati.
More from Sanford on logging standards: "Drawing Lines", an awesome post indeed.
A MUST read on SIEM and log management from Greg Shipley (I promise this is a coincidence! :-)) In this piece, Mr Neohapsis drop kicks more than a few "latest generation" SIEM tools. Guess which product review mentions "pain" 3 times on one page :-)
Finally, this is also worth a read: "Ode to Log Management" where Mr Baum laments logs being pigeonholed in to "another IT management tool" silo despite their broad relevance. He is right - but focusing on one use case after another works...

Enjoy!

Symantec's Network-Based NAC

Sun, 29 Jun 2008 23:33:00 +0000

Yes, you read it right- Symantec (as in the software vendor) has a network-based (as in the hardware) NAC. Once you get over the title, keep reading.

If you read my blog, or know me, you probably know I do NOT like software (and it usually doesn’t like me). So, I’d be the first to jump on the ‘anti-software-peer-based-NAC’ train, but I think we have to be informed before we jump to conclusions and hop on any trains.

Mirage’s recent blog post on Symantec’s ‘Silly SNAC’ was certainly a result of a mis- (or un-) informed person. Tim did a much better job on his mention of SNAC in the NWW blog, but all the dots still aren’t connected. It proves the point that sometimes we (as bloggers) tend to write based on a feeling and sometimes don’t dig for the fact.

So, in an effort to make sure I understood this new peer-based NAC, I reached out to Patrick Wheeler, Symantec’s Senior Product Manager for Network and Endpoint Security. Based on my conversations with him, and a pretty detailed investigation into the options and configurations of their NAC products, I have some slightly more informed opinion to share with you now.

Symantec has a variety of NAC enforcement components and options. I’m going to keep all the software-type-stuff out of this conversation for the time being. They have (among other things) the NAC Enforcer, an appliance similar to the other NAC controllers we see from traditional hardware vendors. Just like it’s counterparts, Symantec’s NAC Enforcer can be configured for DHCP, inline or 802.1X based enforcement.

The piece that’s different is the integration of the NAC Enforcer with Symantec’s Endpoint Protection Manager server that hosts the policies for the NAC. It’s similar to the management-enforcement configuration we see from other vendors, only the management piece is housed on a server instead of another appliance.

And, just as other vendors offer some type of endpoint integrity agent, the Symantec agent comes in the form of the Symantec NAC Client, which can be used by itself, or integrated with the Symantec Endpoint Protection Client for an even more robust feature-set. (The Endpoint Protection Client offers some additional host-based firewall features that the NAC can leverage).

So, what about the Peer-Based NAC? Ah, well that’s just the first iteration of a ‘vision’ to address mobile corporate users. If employees have laptops in an ad-hoc situation outside of the enterprise infrastructure (and therefore, outside of enterprise enforcement), then the peer-based NAC can port the enforcement rules set at the ‘mothership’ and enforce them individually. The peer-based NAC can protect mobile assets in their most vulnerable situation, outside the security of the corporate network. But, the rules are still set centrally and the peer-based NAC was designed to be just one step towards an added layer of protection, not as a replacement for network-based NAC.

For now, I’ll stay off the hate train, since the peer-based NAC is more of a supplement to a more robust traditional NAC solution. If they move to a fully-host-enforced product, I’ll buy my tickets…

Image shown is copyright of Symantec Corporation.

# # #

Security Services Deployment in Federated World

Wed, 25 Jun 2008 09:25:43 +0000

Its easy to get hung up on security protocol design, finding the right fit for your architecture and so on. Its really hard to find security mechanisms that do something useful and scale as well. In my opinion, this is the single biggest issue we face in security today - how do find useful things that solve security problems, that can scale in real world systems.

To that end, my favorite paper in a long time was written by Patrick Harding, Leif Johansson, and Nate Klingenstein called "Dynamic Security Assertion Markup Language: Simplifying Single Sign-On." They begin by asking questions companies face when entering into a federation:

How should trust between providers be managed?

How should information about providers (metadata) be provisioned?

Which SAML profiles and bindings should be used?

Which messages and what part of each message should be signed?

Which identifiers and attributes should be exchanged?

What are the semantics of those attributes and identifiers?

Organizations understand the benefits of SSO and federation, but don't always answer the above questions in a way that sets them to scale. Harding, et al.'s work describes a way to partition the architecture into separate layers - a metadata trust fabric,a metadata publishing fabric, and a metadata validation and signing fabric - enabling dynamic federation. If you design stuff for a large scale distributed systems, this is a really big deal. No wonder these guys win all the good awards.

I have often used Federation as an example of security as a business enabler - improving the brakes, ABS, and airbags so we can drive fast and safe. Federation creates value for the business through more deeply linking it with its customers, partners, and business users; it solves some security architecture problems through encrypted and signed tokens; and it gives the user SSO/SLO. You don't always get a win like this in security architecture, but when you find one its good to ride it for all its worth.