handling keys in memory is a widespread problem

As mentioned by Nate Lawson and illustrated by fellow Security Catalyst Didier Stevens, the cold boot attack against FDE applications is not limited to just FDE, but any program that stores keys in memory.

This is a much bigger problem than just an FDE problem, but it is still far outside the vision and concern of regular users, at least today and likely this year. Didier’s approach to grabbing information out of memory while logged in should be of more concern than a cold boot attack.

So before your auditors require you to put the question, “How do you manage keys in memory?” to your FDE vendor questionaires, make them apply it against every application your organization makes use of or creates.

not losing sleep over the cold boot attack

The recent “cold boot” or “memory remanence” attack against keys stored in RAM (particularly against FDE vendors) has gotten good publicity, including mainstream media. I passed along information to my team, which then got up all the way through the top of my organization partially because we’re just about to roll out an FDE product. What did I recommend or say?

I quickly (2 paragraphs) and in mostly non-technical terms described the attack. Then, in a small FAQ-style section, explained that we are not at much risk of this attack. Memory dumping is not new, nor is memory dumping from recently powered-off memory. Can Joe down the street do it? No. Would Jess after lifting your laptop from the airport queue line crouch in a corner to start freezing your memory? No. Even if tools became available to boot a laptop to USB and quickly dump memory for offline scraping/cracking, this is still not a huge problem.

Bottom line: Is this something that an average computer (laptop) user or average corporate user care about? Seriously, no.

This sort of attack would be of interest to government units, defense contractors, and others who might be subjected to targeted, highly motivated, and decently funded attackers. National or major corporation espionage comes to mind. This attack is also of interest to us security geeks. Not only is it cool, but it keeps us thinking outside the box. It also keeps vendors honest and working towards better security.

What mitigations are there?

Reduce laptop theft risk.
Power off the laptop when it is not in use.
Don’t keep valuable data on mobile devices.
Use advanced multi-factor authentication.
Enforce proper password complexity and age requirements.
Limit booting from removable devices or use a BIOS password.

None of these steps should be very new to organizations, and certainly not to any organization that should care about the cold boot attack. All of the above steps should take much higher priority to all of us.

I don’t follow Bruce Schneier as much as I used to, but I do believe he has a good point when he talks about how badly humans evaluate and react to risk. We see risk and get all dramatic when it comes to low probability but exotic issues, yet ignore common issues that wouldn’t make a Hollywood movie script. This attack is exotic and not common.

tasks for the security neophytes

I was browsing around somewhat randomly and came across this little list of challenges for people looking to get into security. Kind of a cheesy thought, but then I started reading the tasks and really liked them. Some get old school, but damned if security pros really should be exposed to some old school things like IRC or email via telnet.

If you know someone who is looking to get into security a bit more, these are very basic and useful tasks to give them. Even a tech geek that hasn’t had an interest in security should find some of these tasks horizon-expanding.

Snagged from beginningtoseethelight.org.

my 2008 gaming rig build

It’s been about 5 years since I built my gaming machine. Yup, it’s about time to build a new one and I thought I would share some specs. This system is not built yet, but I am already starting to get pieces in. The total cost minus the toys and monitor will be slightly over $1,000. I will buy almost every piece from NewEgg.

The system I want should stand up to about 3+ years of upgrading. For now, I skimp on some parts that are easily upgradable, and splurge on things that are not. I stick to a nice motherboard that no doubt has at least 2-3 good years of high/middle-end gaming in it. It will support most any Intel dual or quad core CPU that will be on the market this year. I can go up to 8GB DDR2-1200 RAM and plop in 2 ATI Radeons in Crossfire mode (basically use dual graphics cards instead of 1). I doubt I will ever do dual graphics or that much RAM, but the options exists! I like a decent case that I can show off, so I don’t go cheap there either.

I normally would not have gotten a high-end PSU like I have listed below, but I picked up the Antec 850Watt PSU from a closing CompUSA for under $100. I couldn’t pass that up.

This will all be cooled with a water cooling system I’ll build. I’ll most likely get all of the water cooling parts from PetrasTechShop or maybe a few from FrozenCPU.com. I’ve used FrozenCPU for my last system, but I’ve not tried Petras yet. The parts are individually listed below. I choose water cooling because it keeps the system far quieter than if I relied entirely on air cooling. That and it looks cool!

Logitech G15 keyboard
Antec TPQ-850 850watt PSU
LG L226WTY-BF Black 22″ 2ms DVI Widescreen LCD Monitor x2
Lian-Li PC-60BPLUSII W Black Aluminum ATX Mid Tower
Asus P5E LGA 775 Intel X38 ATX Intel Motherboard – up to DDR2-1200 1333/1600 FSB
Intel Core 2 Duo E6550 Conroe 2.33GHz 1333 FSB
Corsair XMS2 2GB (2 x 1GB) 240-Pin DDR2 SDRAM DDR2 800 – 4s cas latency
Diamond Viper 3870PE4512SB Radeon HD 3870 512MB PCI-E 2.0
Western Digital Caviar SE16 WD5000AAKS 500GB 7200 RPM 16MB Cache SATA-300 Hard Drive
Lite-On Black SATA DVD Burner with LightScribe
Creative Sound Blaster SB0570 Audigy SE 7.1
AeroCool FP-01 55-in-1 Card Reader w/Flip-up LCD Screen
Okgear 18″ SATA II data and power combo cable-UV blue model OK105
some cable coils just to make the cables pretty?
dual 12″ cold-cathode tube UV lights from petrastechshop

water cooling parts
D-TEK Fuzion universal waterblock
Swiftech MCR-320 resevoir
Swiftech MCP635 pump (aka Laing 55 Inline 12V pump)
Swiftech MCRES-micro resevoir
Arctic Cooling MX-2 thermal
some 7/16 tubing, clear
some 120mm fans (x4?)
some coolant/dye additive

investigating radically simple IT!

Some business mag articles are insightful; others are as wasteful a time as listening to a broken record. Today for lunch I was at my second-closest Barnes & Noble Starbucks waiting to try out the new honey latte when I spied an IT article in the Harvard Business Review: Radically Simple IT (requires $$). “Oh neat.”

(Of note, I can pick up a copy and read the articles for free at the store, but I can’t get them online…meh.)

I skim the article and while I would love to read specifics on what Shinsei Bank did to be radically simple in their path-based approach to IT projects, I instead was bored to tears reading business cliche after business cliche after vague generalization (yes even generalizations can be vague) after fluff after fluff… It uses a lot of words and pages to esssentially say: “Be smarter about IT projects. Do better, more intensity, more cowbell!”

The mashed synopsis can be found online; I suggest reading it and wondering if that says anything new. I’ll answer that and say, “Nope, nothing new.”

Shinsei Bank, from the sound of the article, was in an enviable position from the eyes of us IT guys. They got to spend $55 million in a year to replace an antiquated IT infrastructure with a new enterprise system (whatever the hell that means) Well, I think many people would love to have the opportunity to flush it all away and start their operations anew. How often does that happen? Not often enough!

Fine, the article does have some good points later on when it talks about how to build IT. Things like minimal standards, simple architecture, and listening to users. But that’s pretty common sense, if you ask me. Anyone who has planned a system of any type, and had to live with the results knows these things (sorry consultants, sometimes your ideas suck when you live with them for years!).

The nonsense about “forging with business” instead of “aligning with business” basically makes me want to drown a kitten with my honey latte…stop reinventing terms for vague crap. Just say, “align with business with more intensity!” Or better yet, just stick to “align with business.”

Trying to move a project ahead with less requirements is simply asking for future finger-pointing from just about everyone. The reason we have so many damned requirements is due to the blame game that ensues after an IT project finishes and it’s not perfect for everyone everywhere for the unforeseeable future. But that’s really a corporate culture or management personality thing.

That’s my rant for this week; surprising since it’s been a relatively low-key week in which I’m beginning to build my next gaming machine…

pwn 2 own pool

CanSecWest will give round 2 of their PWN 2 OWN contest. If you can hack a box, you keep the box. This year they will offer up patched versions of Windows Vista, Mac OS X, and Ubuntu. They will also allow browser, email, and IM application attacks. I understand an out-of-the-box, fully-patched attack, but I guess one can argue “typical configuration” of those apps. So, thinking inside the box, I would expect the challenges to be centered on privilege escalation, finding something running as root level, hijacking something root-executable due to poor file access security.

Anyone ready to start a pool on which order and how these boxes will be pwned?

Order of pwnage
1. Ubuntu Linux – Ubuntu, the bloated desktop OS for Linux, is really not what you want representing Linux, but it matches the desktop use of the other two entries. Unfortunately, I think Ubuntu is the least vetted when it comes to security, and will be the first to fall. I wouldn’t be surprised to hear about poor file system permissions that lets userland replace something normally invoked by root. Or maybe an outdate package of something or other.

2. Mac OS X – I think everyone will still love to pwn the Mac and keep it in its place, making it a prime target. I suspect inherent flaws in the apps used will cause this breakdown, much like QuickTime last year.

3. Windows Vista – This might depend on the timing of patches, but I think Vista combined with IE7 will prove somewhat formidible, especially if the user is not an admin.

Most common attack vector
Web browsing – Browse to my site and get pwned! I think this will be, far and away, the most common attack vector and likely the approach used by the successful attacks. This might not result in attacking a flaw in the browser itself, but will involve the browser in some way.

my user education rules of thumb

My RSS reader is getting swamped because I’m behind. In trying to catch up, I see more QQing about user education (either lack of support or lack of value in it). Here are some of my personal guidelines about user education in regards to enterprise security. These are not hard and fast rules, but simply general guidelines for me.

1) User education helps inform users of and explain corporate policies and technical controls. A workforce that doesn’t know policy, can’t follow it. A workforce that doesn’t understand why a control is in place, will fight against or around that control.

2) User education helps those who truly want to do the right, secure, safe thing. Some people are quite open and actually thirst for this knowledge, both for work and at home. This is not all people especially when push comes to shove and the “right” thing means not doing the “easy” thing in your job. E.g. It is easy to just email that client the necessary SSN-filled spreadsheet than figure out or set up a secure transfer method via “encrypted” mail, encrypt mail, or SFTP. (Yes, I meant to list three things there…)

3) User education fills in the gaps that technical controls cannot adequately fill. There are security problems that simpy cannot be solved very well with technical or procedural controls. A salesman talking in the airport on his cell phone about confidential business plans can be overhead, and there’s not much you can do about that. Or it may not be technically possible to add more physical security to your building if you don’t own it. But user education can demontrate that the business is not negligent about such issues, and the user may change his behavior after such education (see #2).

4) Technical controls are more valuable than user education. To mitigate a particular risk, if the value of the technical control roughly equals that of the user education control, and they cannot add to each other, then the technical control should win out. While user education has value, it does not ensure anything. Even I, as an informed and careful sec geek, would rather not have to make judgement calls or risk mistakes dealing with a strange attachment. I’d rather it be stripped early, not delivered to me, or my system not vulnerable (patched, least rights, hIPS…).

5) User education is worthless without technical controls. This follows from some earlier points, but imagine a company that has little to no technical controls and relies on its workforce intelligence to be secure. At least with technical controls, there is some assurance of a certain level of unattended security, assuming good configurations and settings. With technical controls, you can trust and verify. With user education, you have to trust, measure, and generalize.

6) User education is especially valuable, nonethless, to the people who decide technical controls. IT and security staff need continued training. IT and security staff neeed continued training. IT and security staff need… We can’t make things right unless we know how to make things right. From developers to IT professionals to managers, the technical people need technical training. Part of “baking in” security is about kneading in the knowledge.

Parting thoughts: This is not to mean I think user education is worthless. I think a proper security approach blends both user education (along the guidelines above) with strong technical controls. I simply think the drink is more like 1 part user education to 9 parts technical control.

scripting games entries are posted to wiki

I am again posting my entries to the scripting games over on my wiki. Due to time constraints, I’ve not been able to devote myself at all to the Perl side of the events, but I have completed all the PowerShell ones (I’ve not turned them in yet and will do so as the deadlines approach). I also decided to try the Sudden Death stuff. Not sure why my first one scored 0, but I emailed them about it. I think me sending it in 1.5 hours before the deadline may have counted against me.

Overall, very fun exercises this year, and I get to learn more about PowerShell. I think the events are just a bit more complicated than last year, which is truly welcome!

Event 1 involved creating a word out of the letter conversion of a 7 digit phone number. Rather than stop at finding an answer, my script finds all the possible ones and just returns the first one.

Event 2 wanted to average scores from a text file and echo the top 3. This was pretty routine, and maybe one of the easier Advanced events.

Search: query for ‘sadly’

For some reason, just about every hour, the IP address 66.249.67.139 (crawl-66-249-67-139.googlebot.com) hits my site and does a one word search on my site. They’re rarely meaningful terms, although now and then it searches for some relevant to my site. Weird.

ms08-006 analysis by hd moore

Yesterday I mentioned the severity of MS08-006. Last night, HD Moore posted an analysis of this patch.

This is a server issue, and is only enabled by the use of certain coding practices that are not bad in and of themselves. Considering most admins have no idea what code is going on their systems, either from internal developers or third-party web products, this patch should still be critical for servers. I assume a purposely vulnerable and dangerous asp file will be released in the next few weeks that I can copy, put on a server, and auto-pwn it in some way (shovel a shell over asp?).

to be critical or not to be critical

Microsoft is in a not-so-enviable position when it comes to patch releases. Microsoft yesterday released MS08-006 as one of their slew of patches. They rated this issue “Important.” But if you look closely, it scores the highest severity in every category except one: number of systems affected. But if you have servers affected, this is about as critical as an issue can get, other than having it already worming around.

This sucks because techs like me want the real skinny, but we all know media will latch onto “Microsoft released a critical patch…” and drop off the, “…that only affects…” part. And then people like my managers of stakeholders on the systems in question will say, “But Microsoft themselves only rated this Important, surely you can slow down…”

There’s really no answer here, and I think Microsoft errs on the correct side, since I can figure out for myself that the issue is critical (assuming Microsoft continues to be detailed in their descriptions), but the common public is less likely to figure out the issue doesn’t matter to them. Still, it is a lame situation. Maybe Microsoft should only apply an overall severity to an issue only after identifying the affected products?

Or do what SANS does and split them up between client and server ratings. These are general enough and make damn good sense.