[SecurityRatty] tag: roam

SOA Security in Real Life

Sun, 30 Nov 2008 14:29:17 +0000

I started off my last article on SOA Security this way:

When I park my car in the garage, I lock it. Why? Well, although I would hate for someone to steal my snow shovel and hockey sticks, my car is much more valuable to me. Security is about managing risk, specifically protecting valuable assets like my car. I have a higher level of protection on my car than on my garage. In dollar terms, the contents of my garage are orders of magnitude less valuable than my car. I could spend a lot of money fortifying my garage, and that would add some security to my car while it is parked there, but it is not a cost-effective investment. First, my car is the asset of value, and second the garage - no matter how well protected it is - doesn't move.
Car manufacturers know this, insurance companies know this, consumers know this. Even media publishers know, yet in the common enterprise, programmers and architects seem to roam in ignorance. Your average download of a Michael Bolton song carries a far higher level of security than valuable user data, like passwords, social security numbers, and credit card details. Why do we keep protecting critical data with point-to-point security solutions (like SSL) that protect the transmission channel, but leave the valuable assets being transported wide open everywhere else? This is a critical question that needs to be answered in order to successfully add an effective layer of security to an SOA.

Well guess what happened last weekend? I always do lock my car in the garage, but last week I came home with an armful of holiday cheer and forgot. I went out to the garage over the weekend and noticed that a local knucklehead who could see that the car was unlocked tried to jimmy the lock on my garage door, and busted off a piece of wood before giving up (probably when they saw the sign that said the garage was monitored).

The response of the police actually further supports my assertion that security is about assets not threats. I called the police and said someone tried to jimmy my garage door. They said its a holiday weekend, call back on Monday and get a case number. This disturbed me not at all. All they are going to do is record a threat (or security event) metric anyway.

Now in a hypothetical scenario if my car was compromised it would have been a completely different response from both me and the police; why is it different urgency? Not because of the threat and intent which were similar in both scenarios, but its the fact that the asset was put into motion that's what makes it important.

For infosec what do we learn? Infosec is spending waaayyyy too much time and money protecting garages and not enough protecting assets.

Legacy Systems: Where the Catalog Falls Apart and LOLCATS Roam

Thu, 31 Jul 2008 11:18:17 +0000

Let’s face it, compliance in IT security is a myth. Compliance in IT security with legacy systems is like a chupacabbra riding a white unicorn chasing a leprechaun while waving Excalibur. And the auditors just shake their head and wonder why you can’t just comply.

Anyway, on to the LOLCATZ (note that I’m getting all creative-stylie with haikus this week, must be something in the beer last night):

Bookmark to:

Great re-visit on a little known tip about blocking Malware

Wed, 02 Jul 2008 19:53:53 +0000

Ran across this site and found this great article on a little known tip for blocking Malware by editing your hosts file.
I like this site!

clipped from pctechbytestoday.com

Modify Your Hosts File to Block Malware

By now, most of us know what spyware is and what it can do to your computer. If your PC is connected to the Internet, chances are you have some form of spyware. It attaches to your PC as you casually roam websites or download files. But you can be proactive and block some of the known malware websites by altering your hosts file in Windows.

Can you hear me now?

Fri, 27 Jun 2008 06:56:10 +0000

Verizon released a very interesting Data Breach report that analyzes over 500 forensic reports on their system over a number of years. It is great work by Verizon to gather this data and to publish it. Of course a consultant I go into lots of companies where they could learn a lot just by being more open and talking through issues with peers in other companies. Would be great to see other companies follow Verizon's lead.

I suggest you read their report, and I would like to add a little color to their findings from the perspective of the swamp I spend most of my time in - Web services security. Granted it is just one report, but the data run counter to a lot of conventional security "wisdom":

Who is behind data breaches?

73% resulted from external sources
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

The internal/external divide is pretty silly these days, as is companies' recanting "inside the firewall and outside the firewall", I spend most of time hooking things up together precisely _so_ they intereoperate remotely. The firewall is a speed bump at best. At any rate external sources is a primary concern in Web services security, because - hey look our Web service front end just made your Mainframe/As400/Unix DB/ CICS/whatever accessible remotely. This is great from a functionality standpoint, but the issue is that these back end systems were never designed with anything remotely resembling an Internet threat model. Additionally, the Verizon team's findings around business parties and multiple parties strikes at the heart of a number of popular misconceptions in Web services security - "well its just B2B and its behind a firewall."

How do breaches occur?

62% were attributed to a significant error

59% resulted from hacking and intrusions

31% incorporated malicious code

22% exploited a vulnerability
15% were due to physical threats

A couple of things to note here - malicious code in my opinion is likely to be the biggest problem in Web services security going forward. There is a large gap waiting to be exploited here. You have no control over the other end of the pipe plus a massive attack surface, the only thing lacking is the attacker's ability to find and exploit which I strongly suspect is just a matter of time. Wrt hacking an intrusions we have the remote, passive nature of web security to blame here in Web services world. Paraphrasing Jeff Williams, the problem is that an attacker can just try an attack if it doesn't work, try again, again, and so on. This partially because of the loosely coupled nature of the systems, but it is also because commonly used information security protocols have diverged from reality are modeled using an object-centric mentality, where you "own" the object you are protecting and can afford to put passive controls around.

What commonalities exist?

66% involved data the victim did not know was on the system
75% of breaches were not discovered by the victim
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable controls

Many of the attacks against Web Services are not difficult, in my training class, we'll typically execute 8-10 different attacks in a two day period. But the big one from this list is the first one - the amazing amount of attack surface offered up by Web services. Brad Hill has done a good job articulating these issues in SOAP/XML/WS-*, but at an enterprise its even bigger than those standards - the thing is we use Web services to make stuff interoperate, to make stuff reusable, and to virtualize endpoints. Great stuff if what you want to do is decentralize your business, but this creates oceans of space for attackers to roam. When you look beyond the Visio and the IDE view of web services, and get to the runtime there is an amazing amount of detritus left behind by all these layers.

Cruel Shoes

Sat, 07 Jun 2008 09:37:40 +0000

Insanity in an insole: For some reason, the folks mstrpln (wasn't that one of Superman's pests?) along with Ubiq (a homophone for a Philip K. Dick novel) have released a Nike Dunk add-on that shows you whether a Wi-Fi network is in the vicinity of...your shoes.

They write: "The idea of footwear was pushed further by converging elements of digital culture with fashion and design into a wearble technology. The end product is a sneaker designed to detect Wi-Fi wireless internet hot-spots wherever the user may roam, with every step."

Uh, yeah, because, a shoelace cover that lights up whenever there's Wi-Fi around is some kind of cool. If it were 2003. And a handbag.

T-Mobile Sues Starbucks over Premature Free Wi-Fi

Fri, 06 Jun 2008 15:18:56 +0000

T-Mobile filed a complaint in New York's Supreme Court over the Starbucks Card Rewards free Wi-Fi launched this week: T-Mobile spokesperson Peter Dobrow said this evening that his firm was surprised when the free Wi-Fi was launched in every market, because T-Mobile wasn't party to that deal. "Starbucks launched this promotion without involving T-Mobile," he said. Dobrow said that T-Mobile continues to operate 95 percent of the Starbucks locations in the U.S. under contract as AT&T transitions into its role as the new operator.

The lawsuit, which I've read, says that T-Mobile never agreed to nor was compensated for providing free service in stores. A link to AT&T's network in all markets except San Antonio, Tex., and Bakersfield, Calif., is handled on the backend entirely by T-Mobile. The suit notes, "If AT&T or Starbucks wanted to offer 'free' Wi-Fi in non-transitioned stores for Starbucks customers, as they are now doing, they should have--and, indeed, were contractually required to--negotiate such an arrangement with T-Mobile."

The crux is that while T-Mobile did agree to provide free roaming to AT&T subscribers, as defined in a bilateral roaming agreement the two firms signed, T-Mobile states the agreement doesn't allow other parties to roam for free. (That's most likely why we haven't seen AT&T's roaming partners, like Boingo and iPass, appear in the login menu, too.)

Representatives of Starbucks immediately available on a Friday night. A Reuters report quotes a Starbucks spokesperson who doesn't comment directly on the suit.

An AT&T spokesperson said via email that the company doesn't comment on other companies' lawsuits. AT&T is not a party to the suit, although it is mentioned throughout.

The lawsuit provides quite a bit of previously private detail about the transition agreement. T-Mobile says that the transition contract signed by all three parties, T-Mobile still had responsibility for and ownership of a market until all equipment in all stores in a defined market belong to AT&T. The agreement also called for exclusive roaming only for each party's existing subscribers in markets that were converted or still under T-Mobile's control until 4-Jan-2009.

T-Mobile states in the suit that they didn't learn of the planned launch of the free Wi-Fi service until 30-May-2008.

T-Mobile wants money, release from current obligations, and other damages. I expect that things have gone quite far for them to file a suit.

"We hope to come to an amicable solution, and sometimes you do have to file a complaint in order to make that happen," T-Mobile's Dobrow said. "It's easy to give something away for free if it's not yours."

See Ya at RSA!

Fri, 04 Apr 2008 12:23:00 +0000

A final post for today: RSA 2008 Conference starts on Monday, see you all there.

If anybody wants to meet, drop me an email to anton at loglogic.com (I will get it on my mobile device)

Here is something interesting I would like to propose: let's meet to roam the vendor expo hall and make fun of the vendors there :-) Some people there will make you ROFL or even ROFLMAO: once I had somebody try to explain why logs are important to me (was not too convincing, BTW) , another time I received a speech on what PCI DPS (!) is. There is also a high chance of spotting a hippo there (i.e. a vendor who misspelled HIPAA in their materials), which is always fun too.