playstation network pwned; hard questions for sony

In case you missed it, the recent Playstation Network outage has been finally acknowledged in a Sony release. If you were thinking it was a DoS, you’re wrong. It was complete pwnage [emphasis mine]:

…we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

In short, this is a big deal. Maybe not ultimately to Sony/PSN, but it is a big deal for the industry. And these are the hard questions:

1. How did this one breach disclose so much? Was it one issue or several that were leveraged? (As a learning opportunity, which is better, a single issue that caused your (gigs of) data to be exfiltrated or a series of leveraged weaknesses?)

2. No password hashing? Encrypting? Credit card information segregated/tokenized/hashed/encrypted? If it was, was the key management that poor? I hate to be the one to say it, but let’s hear that PCI compliance status… (without the PCI marketing spin)

3. What was Sony’s security budget? Or any budget around technology and the protection thereof.

4. If Sony’s deep pockets and ability to have a deep budget didn’t help, is this further illustration of security futility? If nothing else, it’s illustration of the view of digital security in profitable enterprises…

5. What if Sony *has* done risk analysis and determined to accept whatever risk was present? (Even the act of not doing anything is an unspoken acceptance of risk, in my book.) This is my biggest problem with risk and probability: You’re still susceptible to that one-in-a-100-years-hurricane scenario; and heads will roll. It’s also my biggest problem with security and the media: We, in security, believe that you *will* fail, and the media will always sensationalize everything it can. This will always shake out against us; even when we do things absolutely correct (and what organization lets us even come close to doing things absolutely correct?).

6. Do you blame the attacker or do you blame Sony?

7. What was the time-to-breach after they leveled their attacks against you? I’m hoping it wasn’t hours, days, or even weeks… I’m also hoping their breach-to-detection time is small.

One thing I won’t harp on is how long or quick it took Sony to announce something to its customers. A 6-day period during which it took the network down to analyze the extent is not entirely something I can get upset about. And you certainly don’t want to tell 70 million customers something until you know it for sure; not just because of a loss of customers, but simply because if you’re wrong, you’ve just done fucked up even worse. This is an announcement you take the time to get right; and 6ish days is not unreasonable. Does this mean an attacker may have had free reign on credit card information (etc) for 6+(time of breach-to-detection) days? Yes, but when is that *not* the case?

nook color update adds a market, flash support, and more

I mentioned on Twitter yesterday that Barnes and Noble have released their long-awaited update to the Nook Color which includes Android 2.2 Froyo, Flash support, an apps store, and other updates. Really cool!

While the app store has been down for me all day (not something I’d hold too hard against someone, since I’m sure the load is high and the site brand new), I’d overall give the rollout a “B” grade so far.

Pros: Excellent upgrade and the chance to buy and install apps! Flash support really rounds out the web experience. Things just overall seem faster. Essentially, they’re transitioning the $250 e-reader+ device into an actual tablet. Good deal! I know this is a short list, but it’s a big update. (A continued pro for the device itself is the better, less proprietary format of media in comparison to the Kindle.)

Cons: The app store is “curated,” meaning it’s a B&N store and *not* the whole Android market. While this makes me sad, I understand why they would do it, both from a profits perspective but also support. (Why allow users to install apps that won’t work? And what about the lack of the traditional Home/Menu/Back/Search/Settings buttons that some apps require?) Bluetooth radio is untouched and still not enabled (Can’t blame them, but *I* personally want it so I can hook up a gamepad). Also, still no geolocation, though I don’t think that’s even possible with the current hardware, and even if it were, the usefulness would be severely limited without 3G connectivity.

Compared to my autonootered Nook Color: Bottomline, my rooted Nook Color can do more apps and play more games (NES/SNES…) than my non-rooted Nook Color, so I don’t yet plan to unroot that particular one. Sure, there are some small issues like needing to kill a particular task to get the Extras to update after an install, but I still really value the apps that are not yet available on the B&N storefront. If and when they expand further and cover any apps I’d want, the move would be a no-brainer.

If you have a non-rooted Nook Color, this update is a no-brainer and a huge deal.

the triforce of power is recovered

Not a big deal, but thought I’d mark the occasion where I now own the version of this site to go with the .net and .org. Ever since I wanted to name my site this, some group has held the .com version (along with many other sites), but it has since been relinquished.

Not that I’m going to actually *use* that domain, but it’s a nice full circle sort of thing to have it under my control.

CAs have a nice scam going on with constant cert renewals, but registrars have it even better with all the damn top-level domains, let me tell ya…

the tracking has only just started

NCircle has a nifty article up about the dangers of what installed [mobile] apps know and access about you, whether they tell you or not.

This isn’t new, apps do what they want when you install them; always. What *is* new is how we now have this device with us everywhere we go; we put in social contacts, search, and use geolocation…constantly. That wealth of knowledge makes even *me* salivate…and I’m not even into advertising!!

Thought I’d repost this blurb I made recently in a HardOCP forum thread on the topic:

Besides, no one with a smartphone with Google/3rd party/provider geolocation services enabled should even begin to be worried about ISP/IP tracking. You’re already in far, far deeper with location tracking and delivered ads. Or if you don’t remain anonymous while using something like Google search. They’re already doing generic ISP location; I can’t search for many things without Google appending my city name to the back of it.

And no, people just accept it, and will let their privacy slowly erode. If it’s wrapped around an Angry Birds app, you’ve already lost the battle. If it’s a free search engine that you use while logged into your free email account which also houses your RSS feeds and IM/VOIP friend lists as well as a free DNS provider (tracks when you query) and free browser (that won’t let you globally disable scripting), all of which is also tied by account to your smartphone with a geolocation service…

…all from the same company*…you’ve already lost.

* Throw in things like Facebook and Twitter behind-the-scenes information-sharing, and you’re even further in the hole. (Oh, and all of this is opt-in by default.)

I don’t trust Google, nor do I trust Apple…and it really does suck that if I want a device like this, I’m screwed. If I want these convenience-adding apps that *need* a business model and to make money any way they can, I have to feel dirty when I install them.

By the way, recent news is that Apple requires and uploads location information from their devices. This begs the question: How come Apple doesn’t retrieve every single device that is ever stolen? If my device spends a huge chunk of time in my home, and suddenly spends it elsewhere shortly after me reporting it stolen…help a brotha out, ya know?

my one (almost) “told ya so” amazon rant

Way too many people have run around all crazy about the recent Amazon cloud outage that left various companies and persons high and dry for a period of time. I won’t belabor the topic further but to point out two links.

First, this wonderful forum thread that claims patient lives are at risk with the outage. Talk about fail; sort of a laughing while facepalming issue. Be thankful your business (probably) doesn’t actually have lives depending on it…

At the end of that thread is a link to a blog post that essentially reasons that all of this is Amazon’s fault.

I wouldn’t presume to say Amazon, in this case, may have overpromised or even misled people; and they may have just flat out fucked up.

But, so what? Does that mean your customers nod and say, “That’s ok?” Does that mean you get your revenues back that you lost? Maybe a refund? Does that mean your boss isn’t going to throw your ass under the bus when shit hits the fan? When he asks the status, you just point over to the Amazon support number and say, “They’re working on it?”

If I give you a promise and I fail to deliver, what the fuck are you going to do? Sure, we may be talking contracts and actual damages and, worst case, tort law, but do you really think that’s going to help? What if the court says, “Hey, why didn’t you have a backup plan?” Or what if I skip town? What if the event is so catastrophic that your provider collapses and goes bankrupt? You really *can’t* rely on something like that to help you out. While you shake it through the courts, your business might be done; or your job.

I dunno. Maybe it’s the operations guy in me who knows that outages occur and they occur for an infinite number of reasons. And the less money you spend the more you get.

Lastly, if Amazon fucked up and didn’t do something right, do you really think some other provider (not named Akamai, let’s say) will be less error-prone? Really? At least Amazon now probably has one less issue to ever deal with, right? They *did* just gain valuable experience.

As the blog post says, choose your provider carefully. Oh, and this issue somehow makes it easier to choose a provider? Or give any further insight that cannot be gotten by common sense? Or insight that goes beyond the magic curtain the provider puts up in exchange for managing your infrastructure for you? No. Saying that is like having a Toyota recall and then glibly telling your Toyota-driving friend he should have picked his car better. The proper feeling in response to that is, “Ass.”

security analogy attempts

You’re a firefighter in a burning building, but you’re not supposed to put out all the fires; the fires are just part of the environment. Instead, you’re just there to make sure it doesn’t turn into the Towering Inferno.

You’re the chaperone for an outing at the bowling alley for 8 year-olds. Your job is not to teach them how to bowl, but rather keep things fun, so you have the gutters stuffed with pads so they can successfully toss the ball down the lane for some scores.

we need deeper knowledge, and it ain’t easy

I was listening to pauldotcom 236 last night and Bugbear had a great point that I wanted to tackle. I’ve combined two quotes into one:

…in order to catch up with attackers, we’re going to have to understand our information systems better so that we can detect, triage, and deal when we do get compromised, because it’s only a matter of time. And that does not include clicking on a management console somewhere.

I wholeheartedly agree with this. As defenders and even as *effective* attackers, the knowledge has to get deeper. I would also add that this understanding also does not include just having good inventory and documentation; we’re talking real, expert/working-level knowledge.

Sadly, I wanted to tackle this idea not to preach to the choir, but just to play devil’s advocate and not try to make it sound like once you accept this idea, your head is in the clouds where puppies and kitties frollick amongst forests of candycanes and pastures of skittles. Instead, there’s a heck of a lot of pressure that keeps us from being the experts we need to be in order to do security well.

1. Technology moves on – Lifelong learning is a mantra in security; duh. But there does need to be acknowledgement that even if you devote the time to learn something deeply, someday you’ll start the whole process over when your knowledge is obsolete and needs updated. Once you understand A, we’ll have B, C, and D beating down our doors. Security is one area where you need to have deep knowledge on things past as well as what’s coming tomorrow. That’s a tough job, and it’s ego-sapping. You can’t come in with an ego and expect someone to help you. We’re constantly wisened adults and learning infants at the same time.

2. Know your security tools as well – Deep knowledge on your own systems? Check. Deep knowledge on your security tools? Wait, what? As full-disclosure recently demonstrated, even security tools have issues. Could *you* have seen that Pangolin reported back to a mothership? The security community is just as interested as any in punking its own, and who better to pwn than the guys with the vuln reports, admin access, risk analyses?

3. Security dashboards don’t [always] help us – My one biggest issue with security suites and large management tools is the same interface that allows management of an enterprise-wide array of data/systems/information is the same interface that steals away our ability to be agile, hands-on, and expert with the underlying roles it serves. If you rely on a tool to do your nmap scans, you’ll lose the ability to do your own nmap scans without the tool. Layer such management tools on top of other management tools on top of other layers, and pretty soon security analysts can only work on those monolithic management dashboards and can’t do crap on the command line, hands-on. That’s not to say you should know how to write an AV detector rather than buy an AV suite, but you do need to be functional underneath the tool if need be. Low-level skills are important, like those found in forensics or coding or traffic analysis or reading your own damn logs, etc.

4. Experts at everything – Yeah, as if it didn’t suck enough all the technical things to know, we should also be aware of interpersonal social skills, both from an attacker perspective (SE) to inner political workings of a business. And the business processes, risks, and goals. Granted, this is why we make various levels in security, from technical analysts to risk managers, but still we’re far to few to rely on that stratification. We need to field questions and give actionable answers on a variety of topics including mobile security, virtualization and cloud, malware, espionage, physical theft, C++ code, .NET code, scripting, encryption cipher strengths, traffic captures, VOIP and VLANs, CCTV/IP cameras… Ever try to BS developers on security practices? 🙂 Ever get asked to prove that something is a risk or that the risk is more costly than the fix?

5. You don’t know enough – You know the saying, “There’s always someone better than you.” That’s true with knowledge as well; none of us will know everything about something. There will always be places to learn more, tricks to practice, technical talks to attend that don’t just speak obvious unhelpful generalities like, “security sucks.”

moxie on ssl authenticity and trust agility

A couple days ago I posted a reaction to the “SSL is Broken” topic floating around. Via Securosis I was pointed to a much better article directly from the mouth of an expert: SSL And The Future Of Authenticity by Moxie Marlinspike.

Rather than go all sensational and say something like, “SSL is broken,” Moxie digs much deeper and smarter by tackling the specific problems with SSL, namely authenticity and “trust agility.”

I look forward to Moxie’s future posts on proposed solutions. I agree with his sentiments, and I firmly agree with his reservations about tossing away CAs for a kneejerk replacement that may not be better and my in fact be worse!

This illustrates part of my point in my post: it is hard to patch an ultimately human problem. And I still really think that trust in a human-backed entity is inherently going to be a problem unless they have the ethics of the Supreme Court or something And globally, that will never be possible. This is why I’ll sympathize with the idea there are issues with SSL, but it might just be “good enough.”

[struck a really offtopic rant about complaining, thinking several plays ahead, and ultimately “just enough security” being ok, i.e. there *are* shades of grey…none of which was ever worth reading and so unformulated…]

To briefly put on my tinfoil hat, it might be worthwhile to say something like, “Let’s just get perfect, universal encryption for everything.” But never, ever, ever underestimate the desire for governments (and on smaller scales, corporate entities) to have the ability to intercept and inspect. Ever. China and other countries may make the news with their heavy-handedness, but don’t think for a moment that govs like the US don’t do many of the same things, only in more secrecy.

chubhack 15 available

ClubHack Issue 15 [pdf] has been released. This publication has several articles:

Mozilla Firefox Internals & Attack Strategies [interesting…could benefit from a video demo!]
FireCAT [good to spark interest]
Being Invisible on the Internet [poorly scoped, not useful]
The Information Technology Rules [interesting at least]
Configuring Apache SSL [decent instructions]
MATRIUX VIBHAG Introduction Part 2 [not sure what this is]

suricata plus snorby equals smooth-sec

Speaking of Suricata, here is a distribution iso for Smooth-Sec, which is a Suricata + Snorby build on top of Ubuntu 10.04. I have not tried this, so I can’t attest to how easy it is to install or get ready, but it sounds like a promising IDS/IPS setup, even though the wiki (documentation?) is behind a sourceforge registration-wall.. The wiki is here!

an online comparison: suricata vs snort

Looking for a comparison between Suricata and Snort? I wasn’t either, but someone did it and posted the results online. While I’m not surprised by the results, I really wanted to link to this comparison mostly because of the way you can click around in the report and see various tidbits like what specific payloads they sent and other test cases. While this isn’t absolutely detailed and recreatable (take for instance all the client side attacks), this still should give anyone some idea on what to do to test your own IPS/IDS implementations, whether you’re an admin setting up a sensor or even an auditor who needs to do some deeper verification that an IDS/IPS is performing as expected over a particular traffic segment.

By the way, if you haven’t before, feel free to browse around the site topics at the top and drill down to some useful how-to’s and sort-of-turotials on various tools and techniques in security and pen-testing.

nook color to get android 2.2 update

I would be remiss to encourage rooting a Nook Color without making mention that Barnes & Noble has been planning on rolling out updates to the device that actually include Android 2.2. The only thing that may doom this in my mind is if B&N wants to lock people into their app store apps or some captive portal or something, which would be a travesty. This is an awesome tablet and device, and I would hope they embrace the creative ways people are consuming it rather than stifle it.

I even have a second Nook Color just to test out these updates on a non-rooted device. The worst thing about being a tinkerer with systems is that I eventually start to hate rebuilding something I broke. It’s one thing to make your main system a strange operating system, but you eventually take less risks with it because you don’t want to fuck up your main system, yeah? Well, at least *I* have that hang-up. So I like having a backup plan in place where I have other VMs or spare systems to do my dirty work on.

jim klein on innovation

In my last post I linked to a Nook Color-rooting article on an education site. Intrigued by this (sit back a moment and think how exciting tablets are for educators!), I checked out the author’s blog and found this awesome post about innovation. He made several points:

1. Innovators put little stock in criticism from the mainstream (example: iPod)
2. Innovators see opportunities in both the “old” and the “new” (example: Web 2.0 + Javascript)
3. Innovators embrace resource constraints (example: WWII German jet-turbine engines)
4. Innovators jump curves (example: ice farmers vs ice factories vs refridgerators)
5. Innovators don’t pretend to know the outcome (example: Friendster vs users)
6. Innovators aren’t afraid of failure, and are quick to let go (quote: Walt Disney)