[SecurityRatty] tag: sufficient

Hardening OS 10.5 Leapord-Tips from the NSA

Mon, 22 Sep 2008 15:46:48 +0000

The National Security Agency developed a configuration guide for default installations of Leapord.

According to Information Week, it’s not a completely comprehensive guide but it’s a good start — “While the agency’s advice may not be sufficient to stop a government agency like, say, the NSA, from accessing one’s Mac, it should significantly improve one’s security posture against less capable hackers.”

Tips cover user accounts, admin accounts, firewalls, software updates, folder permissions and more. For a few quick tips read the full article – or if you have time, download to the NSA guide.

The challenge of securing virtualization operations

Mon, 01 Sep 2008 20:00:00 +0000

I have been very interested in virtualization security since early 2004 and it now seems like it has become a mainstream topic. Most of the focus however is on securing the technology of virtualization (the hypervisor) and providing virtualized security (usually as virtual appliances). My focus nowadays is more on the operational impact of virtualized infrastructure and by extension the impact on security operations. After all, security controls (technology) are essential but without operational controls (people) they are not sufficient. So what is the operational impact of virtualization?

Golf Driven Security

Tue, 26 Aug 2008 13:00:50 +0000

I don't have anything against the sport, in fact I think that if the software security people want to get in the enterprise security game they have to get a lot better at golf. I blogged about how the network security sector is about fifteen times larger than software security sector, prompting one person to write saying that we have invested wisely in network security, eliminated the problems and will address the software security problem with internal processes and tools.

The problem is that compared to software security we are clearly overspending on network security, the hardware/software is unchanged for a decade - in any other area of computing the cost would be falling like a rock (how much would 1995 version of Oracle or Windows cost now? 5 cents on the dollar, yet CISOs still cut $900M worth of checks to Checkpoint each year). The problem is there is no market effect because the CISO's budget keeps increasing and they have no idea what/where/how to spend so they just play golf with their Checkpoint rep and send in the renewal.

Internal processes and tools are necessary yet nowhere near sufficient to "solve" software security. One reason we "have gotten rid of" network attacks is that no one cares. its a 1990s 31337 attacker goal, not a mafia enterprise goal (botnets aside). business, be they legit or criminal, wants data and functionality. so its all about apps and data. we are just at the very begining crawl stage of even understanding how to solve these problems. That's why when i hear security consultants harsh on something like static analysis I just laugh. are they better than a top 1% resource in the world? no way. do we have a multi billion dollar gap to close? ya sure, ya betcha. We need things that scale.

People dont write their own virus protection, but for some reason attempt to do their own input validation, it is the same exact problem. people routinely write their own authentication, authorization and audit. i could go on.

I have rarely seen an industry so ripe for disruptive innovation as software security.

Opinion: Encryption compliance still the Wild West

Mon, 18 Aug 2008 09:00:00 +0000

Some states do not consider encryption alone sufficient to ensure that the data is unrecoverable, and at this stage in the game, companies cannot assume that just because they have encrypted data or implemented encryption key management that they are either completely protected from future legal liabilities or have complied with the law.

Spamming Deterrent?

Wed, 13 Aug 2008 09:38:22 +0000

It’s a harsher sentence than that handed to some spammers,
but is it enough? Have your say at
http://www.virusbtn.com/news/polls/index

clipped from www.virusbtn.com

Is 47 months imprisonment sufficient punishment for a convicted spammer?

It seems like a pretty tough sentence but there’ve been quite a few big arrests/trials/tough sentences and it doesn’t seem to be putting these people off - all these ’spam kings’ are repeat offenders with long histories of fines and sentences but they keep on doing it.

76Service - Cybercrime as a Service Going Mainstream

Wed, 13 Aug 2008 04:08:43 +0000

Disintermediating the intermediaries in the cybercrime ecosystem, ultimately results in more profitable operations. Controversial to the concept of outsourcing, some cybercriminals are in fact so self-sufficient, that the stereotype of a mysterious 76service server offered for rent could in fact easily cease to exist in an ecosystem so vibrant that literally everyone can partion their botnet and start offering access to it on a multi-user basis. Evil? Obviously. Extending the lifecycle of a proprietary malware tool? Definitely.

The infamous 76service, a cybercrime as a service web interface where customers basically collect the final output out of the banking malware botnet during the specific period of time for which they've purchases access to the service, is going mainstream, with 76Service's Spring Edition apparently leaking out, and cybercriminals enjoying its interoperability potential by introducing different banking trojans in their campaigns.

In this post, I'll discuss the 76service's spring.edition that has been combined with a Metaphisher banking malware, an a popular web malware exploitation kit, with two campaigns currently hosting 5.51GB of stolen banking data based on over 1 million compromised hosts 59% of which are based in Russia. Screenshots courtesy of an egocentric underground show-off.

Some general info on the 76service :

"Subscribers could log in with their assigned user name and password any time during the 30-day project. They’d be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found. A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves). Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another."

The 76service empowers everyone who is either not willing to spend time and resources for building and maintaining a botnet, launching campaigns, and SQL injecting hundreds of thousands of sites in order to take advantage of the long tail of malware infected sites that theoretically can outpace the traffic that could come from a SQL injected high-profile site.

Next to the spring.edition, the winter edition's price starts from $1000 and goes to $2000, which is all a matter of who you're buying it from, unless of course you haven't come across leaked copies :

"Assuming that the dealer offering what he claimed was the 76service kit was correct, the profit is not only in the kit, but in selling value added services like exploitation, compromised servers/accounts, database configuration, and customization of the interface. Prices start between $1000 to $2000 and go up based on added services. The underground payment methods generally involve hard-to-track virtual currencies, whose central authority is in a jurisdiction where regulation is liberal to non-existent, and feature non-reversible transactions. The individual or group called "76service" was easy to track down on the Web, but not in person."

It's interesting to monitor how services aiming to provide specific malicious services are vertically integrating by expanding their portfolio of related services -- taka a spamming vendor that will offer the segmented email databases, the advanced metrics, and the localization of the spam messages to different languages -- or letting the buyer have full control of anything that comes out of a particular botnet for a specific period of time in which he has bought access to it. For instance, DDoS for hire matured into botnet for hire, which evolved into today's "What type of stolen data do you want?" for hire mentality I'm starting to see emerging, next to the usual interest in improving the metrics and thereby the probability for a more succesful campaign.

Ironically, this cybercrime model is so efficient that the people behind it cannot seem to be able to process all of the stolen data, which like a great deal of underground assets loses its value if not sold as fast as possible. The result of this oversupply of stolen data are the increasing number of services selling raw logs segmented based on a particular country for a specific period of time.

Time for a remotely exploitable vulnerability in yet another malware kit about to go mainstream? Definitely, unless of course backdooring it and releasing it doesn't achieve the obvious results of controlling someone else's cybercrime ecosystem.

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Malware as a Web Service
Coding Spyware and Malware for Hire
Are Stolen Credit Card Details Getting Cheaper?
Neosploit Team Leaving the IT Underground
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Pinch Vulnerable to Remotely Exploitable Flaw
Dissecting a Managed Spamming Service
Managed "Spamming Appliances" - The Future of Spam

Even More Logging Questions - Answered

Wed, 06 Aug 2008 07:43:00 +0000

I did this fun webcast on logging for accountability (here) and people asked a lot of good questions. Here are some of the answers for them and all my blog readers.

Q1: How do you handle variety of log sources? There are so many, almost beyond my capability.

A1: Sorry to ponder the meaning of "is" here, but what is meant by "handle"? It is really not that hard to collect logs from a large number of diverse sources (as long as the logs can be delivered via syslog or exist as files and can be collected). Now, there will certainly be challenges when the volume of logs gets large, but if by "handle" you mean "collect + store", it is really not that hard, given the right tools. Now, if "handle" means "make sense of what all those logs are trying to tell you," it is a different story altogether.

Q2: You talked about the importance of logging; however for an intermediate or novice admin what are the starting steps .. what are the minimal logs they should start at once?

A2: Answered in "Log Management - Day 1" If you want a simple list of things to "enable today," I cannot really answer it since I know neither your needs, nor your environment. In other words, this is the "what is the meaning of life question?" :-)

Q3: What regulations, rules or guidance exist regarding sharing or visibility of logs to users?

A3: PCI DSS says in Requirement 10.5: "Secure audit trails so they cannot be altered.
10.5.1 Limit viewing of audit trails to those with a job-related need
10.5.2 Protect audit trail files from unauthorized modifications
10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to
alter"

NIST guidance for FISMA also says something similar (for example, look in NIST 800-92 doc). Overall, log protection and security are mentioned in many other regulations as well.

Q4: Privileged groups membership monitoring in AD one of the most important from my point of view. However I did not find effective way to monitor/report on changes in those groups. Any recommendations?

A4: This is indeed a tricky one which might take more space to answer than I have here; it might also take you 'beyond logs.' One good source of information is Randy Smith's site and, specifically, his webinar on 'Active Directory "Logging Gap"' (here somewhere) - which covers how to audit things of that sort when then native logging is not sufficient.

Q5: How I can learn what exactly I need to log?

A5: OMG, this is a $1,000,000 question :-) Let me answer "how can I learn" part and not the "what exactly I need to log part," (also see discussion on "MUST-DO Logging for PCI?") as it is actually answerable. To learn what you need to log, first ask "Why?" (and then see this) - basically establish what you want to accomplish with logs, catalogue your systems, figure how to tweak the logging knobs - and then do it!

Q6: How granular should logging be? What is your recommendation for enterprise servers like domain servers and Windows servers?

A6: Again, too long to answer here in details (it will become a subject of a longer blog post later), but some pointers follow: here for Windows (MS site also have a few recommendations on audit policies)

Q7: What is "more control" and what is "less control" that you mention in the webcast? Can you give an example?

A7: OK, I did say that "sometimes when you implement more controls, you actually have less control." What do I mean? If you buy a firewall (a network security control) and then - over time, of course - configure it with 7800 rules (!) that are supposed to give you control over who can and cannot access your network, you will not gain control over your environment. You will actually be less in control of who is touching your network, compared to, say, having only 20 rules.

Q8: What about mandated NIST controls for government systems? Auditing is a specific control for Moderate and High risk systems. What list of events do you recommend for auditing?

A8: This is too long to answer here, but NIST 800-92 Guide is a really good source of such info ("Guide to Computer Security Log Management [PDF]") Also, see my presentation on NIST 800-92 Guide in the Real World.

Q9: The issue that many organizations get stuck on, is the monitoring process, and defining what exceptions to monitor for? Is there guidance / framework for this? How much of it is system specific and how much is applicable generally to all systems?

A9: I outlined some general ideas back in 2004 via this presentation (note to self - update that to be more 2008-relevant); it is mostly general, but also has pointers to specific system. Keep in mind that it is focused on security, not operational monitoring (which is often no less important - in fact, often MORE important)

Enjoy! Sorry for being brief with some of the answers - I am woefully late with this even as they are...

Other questions that I answered in the past:

CISA and CISSP Preparation

Thu, 31 Jul 2008 09:14:07 +0000

Recently I have received a number of questions seeking preparation tips and insights for the CISA and CISSP certifications. I hold both of these certifications, and passed them both on the first attempt using very different preparation approaches. I took the CISA first, and based on a few lessons learned, I radically changed my preparation plan for the CISSP.

FYI, the official preparation information, qualification requirements, exam requirements, etc. can be found at:

Certified Information Systems Auditor (CISA) : http://www.isaca.org/cisa/
Certified Information Systems Security Professional : https://www.isc2.org/cissp

Are You Ready ?
A few basic questions to ask yourself to gauge how ready you are:

Do I meet the spirit, and not just the letter, of the experience requirements ?
Has there been sufficient diversity in my experience ?

Both of these exams cover a very broad spectrum of subjects. It is my personal belief that the experience requirements exist as an aid to whittle test takers down to candidates who have the professional experiences required to be successful, and to discourage people from taking the exams before they are ready. If you truly meet the background requirements, then you should have had some contact with many of the core topic areas for the exam.

If you are looking at the core content of the examination, and do not believe that you really have the breadth of exposure to be able to describe and discuss each domain at a high level, then you may be better served by delaying the exam in favor of working with your management to gain broader professional experience.

Five Step Approach to CISA or CISSP Exam Preparation

Perform an initial benchmark and assessment of your readiness
Read a “survey” level preparation guide cover to cover
Perform a secondary benchmark, and compare your readiness
Review official, or “deep dive”, preparation materials on areas identified as your weaknesses
Re-benchmark, and repeat targeted reviews until ready

For the first certification that I prepared for, I did not perform the first three steps outlined above. I went directly to the official source materials and began trying to review them cover to cover. I passed the exam, but I also spent a lot of time & energy reviewing things that I already knew “well enough”, and was burned out when reviewing the areas which could have been richer learning opportunities. No matter what your professional background, no one knows-it-all or does-it-all, so there is always an opportunity to learn new things while you are preparing for the certification exam. The goal of this five step approach is to focus your time where you have the greatest learning opportunities. Hopefully this focuses your time and energy in the most rewarding way.

Performing the Benchmarks

For the Benchmarks, I like to complete a timed half-length or full-length examination.

It is my feeling that a half-length exam is long enough that fatigue, maintaining focus, and pace are all stressed, as they will be on examination day. This of course requires access to a large set of test questions or sample tests, preferably with explanations of incorrect answers. In addition to commercial third-party test preparation tools, there are good (and free) test preparation quizzes available from www.cccure.org.

Survey Materials

I find the “Exam Cram” series to be very useful survey literature. I purchase books from this series when I want a high-level and quick handling of an entire subject matter area. As a result, I own survey books from the series in topic areas which I have no intention of pursuing certification for. Obviously the books I recommend for these certifications are:

Deep Dive Materials

There are exam preparation materials available from a variety of sources that fit the bill in this area. What we are looking for are books that contain solid coverage of the areas where benchmarking has shown the most significant need for improvement. In addition to the materials from (ISC)2 and ISACA that I list below, consult your local library - often they will have books that fit the bill. (And, of course, consider arranging a donation of good materials if they do not.)

Final Thoughts

Good luck on your journey toward Information Security or Audit certification. One word of caution: Make sure that you have realistic expectations about what actually being certified will mean. Although I do think being certified helps a person establish credibility more quickly, and is helpful when searching for new employment, often people are underwhelmed by the “Congratulations, that’s nice” from their current employer. If your expectation is that a big raise, bonus, promotion, etc. is hinging on your being certified, then I would strongly encourage you to reality-check that with peers in your organization.

Cheers, Erik

CISA and CISSP Preparation

Finland privacy judgment

Wed, 23 Jul 2008 11:26:48 +0000

In a case that will have profound implications, the European Court of Human Rights has issued a judgment against Finland in a medical privacy case.

The complainant was a nurse at a Finnish hospital, and also HIV-positive. Word of her condition spread among colleagues, and her contract was not renewed. The hospital’s access controls were not sufficient to prevent colleages accessing her record, and its audit trail was not sufficient to determine who had compromised her privacy. The court’s view was that health care staff who are not involved in the care of a patient must be unable to access that patient’s electronic medical record: “What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place.” (Press coverage here.)

A “practical and effective” protection test in European law will bind engineering, law and policy much more tightly together. And it will have wide consequences. Privacy compaigners, for example, can now argue strongly that the NHS Care Records service is illegal. And what will be the further consequences for the Transformational Government initiative - the “Database State”?

What Dans DNS Checker Doesnt Do

Thu, 10 Jul 2008 19:03:03 +0000

Despite what various commenters around the blogosphere think (I’ve read a few but can’t find the links now), Dan Kaminsky’s online “Check My Dns” utility doesn’t:

Poison anybody’s DNS cache
Expose how the actual exploit works

What it does is check whether your ISP’s DNS server is patched. Plain and simple. It looks for one thing — source port randomization. This does not give away the exploit, it checks for the existence of the sledgehammer fix that prevents the exploit from working.

More specifically, there’s some Javascript code that generates a random hex string which is used to create a URL, e.g. http://6313d97e498e.toorrr.com. Your OS then does a DNS lookup for that unique hostname. Your ISP’s DNS server asks toorrr.com’s DNS server (a server Dan controls) to resolve that funky DNS name to an IP address. It sends a few packets in the process. Dan’s server makes a note of the source port of each request and sends back the webserver’s IP address to your DNS server, which sends it back to you.

Now that you have the IP address, your browser can fetch the results page. The web page is generated dynamically by parsing the hex string out of the URL you requested, using Ajax to fetch the relevant port and TXID data stored on Dan’s server, and printing out a “safe” or “vulnerable” message such as:

Your name server, at 71.243.0.38, appears to be safe.
Requests seen for 6313d97e498e.toorrr.com:

71.243.0.38:45298 TXID=13926
71.243.0.38:45310 TXID=25412
71.243.0.38:45338 TXID=30829
71.243.0.38:45332 TXID=13934
71.243.0.38:45321 TXID=2701

That’s all. Nothing tricky. This particular DNS server is deemed safe because the source port varies from one request to the next.

Come to think of it, those source ports don’t really look that random, do they. For anybody “in the know”, is that amount of randomness sufficient to protect against the attack?