some ranting to bring in the week’s end

Seems recently there has been a spate of incidents involving small/medium businesses where malware has opened the doors to fraudulent money withdrawals through bank web sites, or the guessing of credentials/security questions, or the tricking of customer support staff. Krebs has several articles in this topic. Rather than link around, I’m being lazy on a Friday and you’ll just have to take my word that I feel like I’m seeing these stories pop up more often this month.

We’re being taken for a ride through the same convenience that users are wanting. Convenient banking for mom at home is convenient banking for an attacker in Latvia who can get credentials. That, combined with the infancy of many of the authentication mechanisms for online banking, the infancy of security awareness by users (really, don’t do banking from the same system you view porn), and the immaturity of the banking establishment to seemingly do much about it, makes for a volatile environment.

We have a very litigious society, one that is quick to point fingers and shift blame. But we’re unfortunately all in this together. Convenience with money is not any one person’s or group’s fault. In the end, the end user needs to be more educated about computer security and not just throw their hands in the air and blame the bank when their browsing habits led to an issue.

(Then again, it’s still everyone’s fault if they were just browsing ESPN which happened to be pwned with malicious script that silently installed malware through an unpatched IE6 hole that was known about but not fixed or publicly disclosed…)

reading on microsoft subpoena compliance details

Ever wonder what Microsoft stores in their services about you, or how that might be used to aid criminal investigation? Seems an internal document has been floating around that discusses Microsoft’s lobal Criminal Compliance Handbook. Some thoughts…

First, if you live in the US (or China, and others) don’t be naive and think businesses can keep what you do secret, even in the face of a subpoena or government influence. Many of these services and tools (like Skype, AIM, GMail, your cell phone provider, landline phones, ISP, etc) wouldn’t be allowed if there were not ways to intercept or request stored information from them to track down criminals. Simply because of that, you know they have to have some method of easy records requesting or eavesdropping capabilities (like the guy in that secret closet at AT&T!). Don’t get me wrong, I’m not necessarily saying this is a bad thing; I actually do favor having that capability to use for authorized purposes. It’s just really difficult to maintain that ethical level of “authorized.” Lots of people were shocked to hear that Google has a web site to request subpeona materials. I wasn’t shocked they have that capability, although I was a bit shocked that it was just a web portal that was apparently poorly protected.

Second, even if it’s not true in practice, it’s nice to read that Microsoft internally does not want to do things like record IM conversations or store your email after you’ve opted to delete it (or at least they don’t want to provide such to authorities, but I bet that lines up with what THEY want as well). Honestly, I really wouldn’t expect Google to be quite as satisfactory in this regard. It is my impression that they want to record, keep, index, and correlate as much as possible, even things you’ve marked or thought were deleted or not recorded.

Third, transparency should not be scary. Is this doc scary to read? Actually, no it is not. The only thing this leaves is whether all of this really is done in practice, but seeing the doc does nothing to challenge that, in and of itself. A doc that says all this, but in practice they do the opposite and save much of this information in personally-identifiable/correlatable form would be a bad thing. But otherwise, I think everything in this doc is actually somewhat reasonable.

Fourth, just to reiterate, I’d be shocked if Google could even begin to do this same thing.

Picked up from the infosecnews mailing list.

sans top 25 released, and thoughts on procurement contracts

I’m just perusing a DarkReading article that talks about the just-released 2010 CWE/SANS Top 25 Most Dangerous Programming Errors and something about a software procurement security contract (link from 2009, so not sure if this is what was referenced).

Without the benefit of real dialogue/discussion on what the contract is trying to do and what it really means, my kneejerk reaction echoes what Gary McGraw was quoted saying in the DarkReading article(“The liability angle is not the right idea…”). A contract is an extremely heavy-handed way to try to ensure something you can’t ensure (secure). But I guess it does throw a punch to software developers where it hurts the most: money. Still, this isn’t about improving security so much as shifting monetary losses. In other words, the avoidance of those punches where it hurts the most. Should vendors/developers be responsible? Yes. But I also think natural market forces are “better” for this relationship than contract wording. You got hacked through bad software? Stop using that software. You bought bad software? Maybe your procurement *process* was hurried and flawed. Shifting costs…that’s all this really is.

It also has the dangerous possible side-effect of allowing software buyers to blame developers for everything, even improperly using software or nor properly following their own best practices for network security, isolation, and so on. You mean I can blame Microsoft because my Windows XP system was connected directly to the Internet without a firewall/router?

I also would be worried that we just get more violent about disagreements on what is considered a “security issue” or a “bug.” Contracts bring about discussion on semantics and definitions…things that don’t help anyone.

going off on product reviews

Bless his heart, I’m glad Rothman is back and blogging! I really enjoy his opinions and, quite honestly, I think we align up pretty well in our feelings and editorials. It’s like having a security soulmate!

Rothman recently posted a nice opine about product reviews. Honestly, I put most of my value in products based on just 2 things. My own experiences hands-on. And experiences of others who are hands-on and not either hand-picked from the vendor or have any stake whatsoever in pimping one product (vendor “partners”) or not pimping another. Basically, if I know you work as a net admin and you use product A, I’ll ask how you like it and what’s good/bad. And hopefully I get decent answers because if I pick up that I should hate McAfee products, can I tell my boss (and his boss) that it’s because CN hates on them on Exotic Liability’s podcast? I’d like I need to have some real responses, and that often only comes through hands-on with products, either myself or others I can trust.

I would love a venue for real reviews, kinda like HardOCP is to me for computer hardware. However, Mike’s right, I’m not sure there is money in it. I mean, I’m certainly not going to pay for the review results, and I’m not sure these industries have enough players to be properly compared to computer hardware review sites or video game reviews in gaming mags. Most IT product reviews I read in mags and sites are met immediately with skepticism. Are these two in bed with each other? Is that a paid-for ad on page 76 for the same product you’re “objectively” reviewing? Do they mention anything negative at all, or criticisms, or their competition? Hell, I even dismiss articles in Insecure when the author is the CTO…

Then again, half the beauty with HardOCP runs in line with what I value in researching a product: being able to ask questions on a forum to people who have real-world experience with said products. So maybe the real problem is finding a security-specialized community-building forum for discussing products, offtopic junk, and attacks. Yeah, I like the Security Catalyst community, but I really feel like I should be wearing a tie in there and refrain from community-building offtopic posts like, Best Super Bowl commercial. Or things you can bullshit about in IM or IRC. What if Infragard had an online forum that was protected but allowed anything you wanted to talk about without being too confusing and splintered into subforums? Then again, all it takes is a copy-and-paste and “sensitive” information is leaked. Pooh.

I’m stopping before I ramble some more… I think it’s time to start idling in IRC more and participating in some nice forums…digital social networking, if you will.

virginia timebomb puts more awareness onto insiders

Krebs has a story up about malware “destroying” 800 systems for the city of Norfolk, Virginia. Reading it drives home a few points, not all of which make me happy. I will say, it sucks bad enough to have power issues that affect lots of things, but it would suck worse to have to expediciously rebuild nearly 800 machines.

1. I’d conjecture almost every organization has a vested, financial interest in getting systems back to operation as quickly as possible. department heads, directors, managers, and the staff are all measured by that reaction. In addition, I doubt few organizations have extra staff and equipment on hand to handle any incident that effects even a fraction of their systems. This means there is often all the pressure in the organization to wipe off systems and get them back up and running, slapping hands along the way of those who stored documents improperly on their local systems. And very little pressure to preserve evidence or dig deeper in defining and scoping the malware and/or intrusion. Sad, but true.

2. “Insider” gets mentioned, and honestly, probably appropriately. But that never helps with my work, mainly because I’m an insider and an admin, and locking/auditing me can only lead to inefficiencies. Yes, I’m biased. But I get the desire, from an organizational standpoint, to prevent one rogue admin for stomping on the balls of whomever. I just don’t have to entirely like it, and I prefer to say things like, “If you can’t trust your admins, you need to question your hiring practices.” Besides, solving issues surrounding godlike admins is a rather tough (read: costly) task.

3. As commentors on the article have said, it is nice to have data storage policies and even some controls in place, but if users want to save things to their systems, they’ll find ways to do it. This dives deeply into our “gambling” sort of view to risk. Everyone has some inkling that their system hard disks are not magic and will fail eventually, but many people take the gamble and do nothing about it. This is one of those places where FUD scare tactics user education helps.

4. As always with reports like this, I’m left hungry for technical details. But I’m getting used to being unsatiated in that regard. At least I can trust what Krebs does report, and I believe he has reported all *he’s* gotten, too. Likewise, it begs questions like, could endpoint security have detected this? any sort of integrity auditing? And so on…at least, those are my questions I’d love to have answered if I sat in their SOC (if they have one).

notes on microsoft patches for february 2010

Patch Tuesday has come and gone, and I’d though I’d share a few notes about the patches this week, or rather, things that caught my eye.

ms10-003 – Office patch
ms10-004 – PowerPoint patch
ms10-005 – ms paint patch (yes, that ms paint; and how it opens jpg files)
ms10-006 – more smb client ownage (i.e. responding to a malicious smb server)
ms10-007 – shellexecuteapi (just know that this can be triggered via web browsing)
ms10-008 – your monthly set of activex killbits
ms10-009 – vista/2008 tcp/ip patches, including an anonymous remote DOS, as well as ipv6 issues
ms10-010 – hyper-v issue where guest code can affect host stability (and thus other guests)
ms10-011 – privilege escalation from local logon
ms10-012 – smb server (i.e. all Windows networked boxes) issues; including anonymous DOS
ms10-013 – malicious AVI files can r00t a box (beware your porn sites!)
ms10-014 – domain controller DOS via kerberos requests
ms10-015 – more local privilege escalations

I expect priv escalation issues (ms10-011 and ms10-015) to be tempting targets for Metasploit. Likewise, network-borne attacks against SMB I also expect to be exposed further (ms10-006 and ms10-012).

A few other attacks really should be patched on servers or you may risk insider DOS conditions in ms10-009, ms10-012, and ms10-014. Like teardrop attacks of old, these are still annoying risks, but hopefully modern networks have their risk limited via firewalls.

Opening bad websites and files is still a big deal. The Paint/JPG and AVI issues really do sound like easy exploits (ms10-005 and ms10-013). Likewise ms10-006, ms10-007, and ms10-008 can be browser-delivered. Hell, I wouldn’t be surprised if some of those local priv escalations could be delivered via web code or executed “codecs” and such.

I also wouldn’t be surprised if one or two of the network-borne DOS attacks could be extended to execute code. If so, that would elevate some of these risk levels.

Lastly, the holy grail of virtualization security is being able to jump from virtual guest system to the virtual host system. MS10-010 exposes an issue where code run on a guest system can affect the host system and effectively bring down all the rest of the guests. That’s not nearly the same as r00ting the host, but issues like this only make people worried. So far, guest-to-host attacks have been theoretical, academic, or highly impractical, and most would prefer not to think about the implications of a guest-to-host attack or how that changes PCI/compliance scopes and hardware allocations.

2010 gaming rig build notes

This is just me organizing some notes on building a new gaming rig. The last one I built 2 years ago still works great, but I want to transition it over to be my day-to-day Ubuntu desktop, and use this new one as an excuse to dive into Windows 7. So far, I have purchased nothing, and may not even pull the trigger, but at least I know what I want for now. I already have plenty of boxes and not enough uses for them!

Budget: In the past I’ve been budget-conscious and always planned to upgrade parts as the years go by. I’ve learned that I really just don’t upgrade much beyond peripherals or a few non-core pieces. Likewise, I’ve never really splurged on a system for myself. So this year, I’m planning on splurging with parts and pieces that should last quite some time. I’m not shying away from spending $3,000 on the system, and the parts listed below do approach that figure. Ten years ago I would scoff at such a budget, but I guess this is what happens when you get older and more fiscally responsible!

Use: First, gaming. Second, I also use this system for media ripping and burning and some pmp management (not with iTunes!!). I have no plans to rip and/or burn blu-ray media, but I think it is worth having that capability since I already want the blu-ray player option. Third, I pay bills and do banking on it. I don’t install software beyond gaming, and I don’t run strange media files or other files on it. Basically, I treat this system like a trusted box that I intend to do my sensitive stuff on. Since this isn’t my Windows “bitch box” that gets crap loaded on it, I can both trust it more and keep games running smoothly. This is not my day-to-day desktop where I check email and ESPN and blogs. I use Ubuntu for that. I also have other systems running Windows that I can do more experimental things on including a VMWare server. Hell, this box is big enough to leverage VirtualPC and run something in it to play with…

Notes not represented in the below parts: I already have decent 2.1 speakers, headset, keyboard, mouse, a 24″ monitor (2 if I wanted to use it on this system) and I KVM the input devices with my day-to-day Ubuntu box. I will also run a second liquid cooling loop that will hit, at a minimum, the graphics card.

Motherboard: ASUS P6X58D Premium LGA 1366 Intel X58 SATA 6Gb/s USB 3.0 ATX Intel Motherboard – 309.99

Motherboard: GIGABYTE GA-X58A-UD7 LGA 1366 Intel X58 SATA 6Gb/s USB 3.0 ATX Intel Motherboard – 349.99

Motherboard: ASUS P6T Deluxe V2 LGA 1366 Intel X58 ATX Intel Motherboard – 289.99

CPU: Intel Core i7-920 Bloomfield 2.66GHz 4 x 256KB L2 Cache 8MB L3 Cache LGA 1366 130W Quad-Core Processor – 288.99

Motherboard: GIGABYTE GA-P55A-UD3 LGA 1156 Intel P55 SATA 6Gb/s USB 3.0 ATX Intel Motherboard – 134.99
CPU: Intel Core i7-860 Lynnfield 2.8GHz 8MB L3 Cache LGA 1156 95W Quad-Core Processor – 279.99
CPU cooling: CORSAIR Cooling Hydro Series CWCH50-1 120mm High Performance CPU Cooler – 77.89
Case: Corsair Obsidian Series 800D CC800DW Black Aluminum / Steel ATX Full Tower Computer Case – 269.99
Case: COOLER MASTER CM690 II Advanced Black Steel body / Plastic + Mesh bezel ATX Mid Tower – 99.99
PSU: CORSAIR CMPSU-850HX 850W ATX12V 2.3 / EPS12V 2.91 80 PLUS SILVER Certified Modular Active PFC Power Supply – 169.99
Memory: G.SKILL Ripjaws Series 6GB (3 x 2GB) 240-Pin DDR3 SDRAM DDR3 1600 (PC3 12800) – 169.99

Memory: G.SKILL 4GB (2 x 2GB) 240-Pin DDR3 SDRAM DDR3 1333 (PC3 10666) Dual Channel Kit Desktop Memory – 106.99
Graphics: SAPPHIRE 100281SR Radeon HD 5870 (Cypress XT) 1GB 256-bit GDDR5 PCI Express 2.0 x16 – 409.99
Blu-ray: Pioneer Black 12X BD-R 2X BD-RE 16X DVD+R 5X DVD-RAM 8X BD-ROM 4MB Cache SATA Internal Blu-ray Burner – 199.99
Blu-ray: LG Black 8X BD-ROM 16X DVD-ROM 40X CD-ROM SATA Internal Combo LG Blu-ray Reader & 16X LightScribe DVD±R DVD Burner – 89.99
Soundcard: ASUS Xonar DX 7.1 Channels PCI Express x1 Interface Sound Card – 89.99

Windows OS: Windows 7 Ultimate 64-bit – 179.99

HD: OCZ Vertex Series OCZSSD2-1VTX120G 2.5″ 120GB SATA II MLC Internal Solid State Drive (SSD) – 429.00

HD: Intel X25-M Mainstream SSDSA2M160G2R5 2.5″ 160GB SATA II MLC Internal Solid State Drive (SSD) – 499.00

HDx2: Western Digital Caviar Blue WD5000AAKS 500GB 7200 RPM 16MB Cache SATA 3.0Gb – 55.99×2

HDx2: Western Digital Caviar Blue WD6400AAKS 640GB 7200 RPM 16MB Cache SATA 3.0Gb/s 3.5″ Internal Hard Drive – 69.99×2
HDx2: SAMSUNG Spinpoint F3 HD103SJ 1TB 7200 RPM 32MB Cache SATA 3.0Gb/s 3.5″ Internal Hard Drive – 89.99×2

All main parts from Newegg. Other watercooling and misc parts from FrozenCPU.