network diagrams: an underappreciated art

Posted on by michael

Why your network diagrams suck (and they do, which is sad because it’s a fundamental IT need):

1. You don’t have any.

2. You pooped them out last week.

3. You tried to put everything on one drawing (VLANs, servers, network gear, port-specific connections, IP addresses, serials, virtualization…).

4. You didn’t include enough info to answer questions the diagrams are meant to answer.

5. You have too many diagrams and they conflict. (Also see next.)

6. You don’t update them as you make changes (if you update them at all).

7. You auto-generate them from some network scan tool or inventory tool, and they just look like ass no matter what you do (or don’t say enough to be meaningful).

8. They all look and feel completely different because 4 different people maintain their own diagrams for what they control.

9. You don’t make diagrams from the viewpoint of the intended audience. What works for you won’t work for your contractors, auditors, developers, security/comliance, customers.

passive credibility is easy with social networking

Posted on by michael

Just perused on DarkReading an article about a social networking experiment centered around fake profile “Robin Sage.” I know the article is maybe a bit sensationalist and simplistic, but I fail to see why someone accepting a friend with a fake profile is a Big Deal.

(Disclaimer: I didn’t know about Robin Sage nor have any interaction with this experiment. I’m feeling left out!)

There *are* some interesting aspects, and I hope the forthcoming BlackHat USA talk will expond on some of these issues, and leave alone the silly issue with “omg I friended a bot” aspect. This is a lot like saying someone is dumb because they looked down when you pointed and said their shoe is untied.

1. People put stupid (and valuable) stuff online. Sure, Facebook and other places may seem like they’re private, but really they’re not when you don’t properly vet friend requests. Once you have more than 50, you simply can’t keep them all properly identified and you’ll likely start getting into the 2+ degrees of separation; i.e. the friends of your friends, and so on. So putting even your day-to-day boring diary bits out there can be revealing when you’re, say, in the military. Hell, you can even get closer to home and post that you’re out of town for a weekend, which can lead to a break-in by someone close to you. Or be stalked by someone obssessed with you. Sure, most of the time nothing will happen and certainly few people are truly targets of interested parties trying to piece together information from 1,000s of sources like a nationstate espionage net, but there is still risk in throwing such activities to the digital winds.

Passive credibility.I think this is far more interesting! If you want to gain some instant “credibility” in social networks, you don’t start pestering people when you have 0 followers/friends/connections. You start going after the ones who auto-follow you back. Then target the ones who seem to have so many, that there’s no way they can closely monitor them all. By then, you’ll have plenty of “names” that others will recognize, which can lend some immediate “credibility” for people who superficially check you out. And you can just slowly work from there. This is really all old hat, but effective.

Take Ligatt’s twitter account, for instance. At least early on, almost all of his followers were celebrities or other accounts that only follow-back out of politeness. He might have 500 followers, but 490 of them were never reading a thing he wrote. Likewise look at some of the #LIGATT infiltrators trying to redeem the company’s services through twitter posts. They scream “fake” because of the sub-2 followers/followees.

How does a spy not look like a spy? By having a presence in the community and with friends/neighbors such that they appear to be an average citizen. Not some loner, curmugeon who looks over his shoulder constantly and only does yard work at night or only get visitors who look like they’re Russian army castoffs.

Not so much these days, but certainly in the earlier decades of the Internet we all had this ability to take on a fake persona and build up a “brand” around it. Back then it was called having an online nick/handle/screenname. Today, we have so many average people using their real names online that seem so very surprised, shocked, that such subterfuge happens! TO those of us that have done these things in the past, this is certainly not new or surprising or even that hard.

3. Assets. Sure, most people don’t have anything to worry about. But plenty of people should be aware of how potentially valuable they may be to foreign agents (foreign being different/opposed to you, whether it be national or corporate). There have been decades of work done on turning assets in the meatspace of espionage, and much of that work is far easier in the online realms.

automated generic aspnet/mssql injection droppers

Posted on by michael

Earlier this month a wave of IIS/asp.net web sites were popped via SQL injection and started serving out malicious files. Most of the attention was given to the 0day Adobe Flash exploit being used, among other methods. But I’m interested more in the initial attack (being that my developers code in asp.net). The initial attack was an automated attack to find vulnerable SQL injection targets, poke around enough in the MS-SQL backend to find locations to inject, and then inject page data.

The links below give good info to the first half of this wave of attacks: attacking the server/app.

armorize
sucuri
nsmjunkie

metasploitable virtual victim machine

Posted on by michael

The folks at Metasploit have announced the release of Metasploitable, a virtual machine that is pre-built with holes, missing patches, and vulnerable applications which can be used as test targets for Metasploit attacks.

Many Metasploit users run their own virtual labs with various older versions of Windows for easy testing and practice. This is usually time-consuming to set up and maintain, especially when you also include Linux distros.

Metasploitable is an Ubuntu build, so gives many testers a new target to attack than a traditional Windows box missing a few keystone patches.

I wouldn’t be surprised to see this expanded further and used as the basis of a lab for training purposes…

ncircle on detecting tls legacy renegotiation

Posted on by michael

Wanted to point quickly over to an article at nCircle by Chris Pawlukowsky talking about Detecting TLS Legacy Session Renegotiation. I think Chris does a good job describing the issue in text form. Check the bottom of the article for even more technical details.

I expect this to come up a bit more. “Easy” findings like this make auditors squeal in delight to put something on their external non-web-app-pentest scan report. Kinda like the entries that force us to drop SSLv2 and weaker ciphers because they’re, well, weak. Even though the attack itself is exotic and the probability is pretty damn low I’ll ever see this in action in my lifetime.

The TLS renegotiation thing is a bit more interesting, but you gotta admit it is still a bit exotic and still does require weakness in the app itself (unless the attacker can drop down to a weaker cipher or non-encrypted channels). Sounds like something that should be added to The Middler (if it doesn’t do it already). Real attacks would likey need to be tailored to each web app, but I bet there is a universal request that can be made that will throw back an error or something to prove the existence. Should *I* worry about this? No. Should someone working at a place with far higher security interests? Yes. Especially when it can be fixed easily.

the big wheel of disclosure debate keeps on turning

Posted on by michael

Ahh yesterday’s 0day has predictably re-opened the “going-nowhere” debate on disclosure. I’m pro-full disclosure. I’m not anti-responsible disclosure, though, when appropriate.

The bottom-line for me: I’d rather know about the issues and have them exposed so I can deal with them, than to have them stifled or hidden or the exposure delayed. Disclosure improves our security (responsible or full).

(While I am happy to respect responsible disclosure folks their opinions, there isn’t really an argument that would change my mind, just like I expect no argument of mine would change their ideas or those of the “no disclosure” camps. It just is as it is. I’m happy with the current state of vulnerability disclosure. Kinda like abortion rights, I think this is one of those areas where staying on the fence is the right choice, versus standing on one side or the other without any real clear, inarguable reasons [short of any bias, like the ‘duh’ of a vendor preferring anything *but* full disclosure…].)

windows help center 0day details released

Posted on by michael

If you haven’t yet, I’d suggest reading up on the details of this announcement this morning on the full-disclosure mailing list. By leveraging a flaw in Microsoft Windows’ Help Center, code can be executed by anything (I presume) that can invoke Help Center.

Big deal? Not a worm or anonymous remote attack, but this is as big a deal as any recent IE, media, or document problem that leads to arbitrary code execution. In other words, a big deal, but not a drop-the-coffee-on-your-lap-and-shut-all-communications-down-deal. Honestly, I’d hope effective security folks wouldn’t worry too much about this, as there should be other mitigations in place already (like running as non-admin and the like) which lessens the impact of sudden discoveries like this. Yeah…in an ideal world, right? 🙂

and the next wikileaks source will be…?

Posted on by michael

Liquidmatrix pointed me over to the Wired article on the growing drama between WikiLeaks, Bradley Manning, Adrian Lamo, and the Army. This has stoked a few thoughts…

Part I: Dumb Criminals, Smart Criminals

Manning came to the attention of the FBI and Army investigators after he contacted former hacker Adrian Lamo late last month over instant messenger and e-mail. Lamo had just been the subject of a Wired.com article. Very quickly in his exchange with the ex-hacker, Manning claimed to be the Wikileaks video leaker.

I’ll start out by not even commenting on the morality of what has transpired in the above article. I’ll start elsewhere.

There are dumb criminals and there are smart criminals. Smart criminals are the ones we (people in general, but also law enforcement) fear the most. Especially smart criminals with financial backing doing ‘white collar’ types of premeditated (or even random opportunistic) crimes…those are difficult to pursue!. They’re typified by not being dumb enough to necessarily get caught. Not all smart criminals get away with what they do, but they tend to be the ones to get away with it if anyone does.

Dumb criminals get caught. Much like your general hacker criminals, they tend to do dumb things, have spotty skills, and more likely end up talking about what they’ve done by making dumb decisions or having dumb associations and misplaced trust.

Manning did a dumb thing: he talked to someone. Not only did he talk to someone, he talked to someone with a level of celebrity status (for better or worse), who has ties to the FBI (for good or bad), and has an interest in not harboring national security secrets for another criminal. Ouch.

A smarter criminal would not have talked, or if he did, he would do exactly as Liquidmatrix mentioned: either nut up or shut up.

Another thing: Just how long and how much could have been disclosed had Manning not been dumb and talked to someone? How many not-dumb Mannings are lurking in your network?

Part II: Challenges in Organizational Security

“If you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?” Manning asked.

I knew before reading the article that I wasn’t going to be impressed with how Manning exfiltrated the videos (and thousands of other files) from secure locations.

The sobering thought on this is…Manning had no real beef with what he was doing. He wasn’t getting paid, he didn’t seem to have some external motivation. He performed what I consider a crime of opportunity. Thankfully, that’s “all” it seemed to be. Sure, it was performed over many months of time and repeatedly, but I still consider all of that to be opportunistic as far as crimes go.

But this is why espionage (both national and corporate) scare me more than even anonymous Internet-borne crime: they physically influence and turn a real, living asset who has access into your secret network and information, and leverage that relationship to siphon out information. Or worse, actually perform active sabotage or other planting of access for others. This is why “cyberwar” doesn’t scare me as much as rogue insiders, depending on the organization in question.

What if a nation-state had targeted and turned Manning successfully? Someone like him truly is a goldmine worth the cost to acquire.

And don’t make the mistake in thinking Manning is an outlier. He’s just another face on the crowd, not much different at all from the rest. The sort of guy and white-collar crime that can be really scary to address.

I haven’t even touched on the fact that Manning had the warning signs of being a disgruntled worker. (Though how many people *wouldn’t* have those signs to some degree, who knows, but it should increase the level of organizational paranoia nontheless!)

Part III: Information Just Wants To Be Free

“He would message me, Are people talking about it?… Are the media saying anything?” Watkins said. “That was one of his major concerns, that once he had done this, was it really going to make a difference?… He didn’t want to do this just to cause a stir…. He wanted people held accountable and wanted to see this didn’t happen again.”

Part of the underlying ‘hacker ethic’ deals with the tendency of information to be free, much in the same way that electrons tend towards chaos or water tends to fill whatever form it can that presents the least resistence.

Perhaps Manning will ultimately be hailed as a moral whistleblower who is exposing secrets that should be made available to the public, for the good of the public.

Perhaps…

But at least think about that when thinking about what should be held secret by a company and what effort may be needed to keep that “tendency toward freedom” that information tries to flow. (And how powerful it may make a third party who suddenly has possession of such valuable information, like WikiLeaks reportedly may be now.) If your organization truly wants to emulate the, “Do no evil,” mentra, then there shouldn’t be many terribly damaging pieces of information (other than patents and trade secrets and the like) inyour possession, right? Mistakes, sure, but is it better to bury them or be transparent with them?

adding some new links to follow

Posted on by michael

One thing I don’t do enough is make a mention when I add new (or missed!) sits and blogs to my link menu on the right. Certainly, not even *I* keep up with what is over there, let alone anyone else, despite it being a great place to spend a Saturday morning filling up your own RSS feeds with my links.

So here are a few new additions to my links and feed reader:

www.attackvector.org
securitythoughts.wordpress.com (not to be confused with securethoughts.com)
beechplane.wordpress.com

What are my requirements? Well, for my own personal feeds list, the blog has to add something to me or my knowledge. Honestly, I’m horrible with my feeds right now as I have 1000s of items unread (a few high-traffic feeds boost that up, btw, like the once-amusing “my life is average” feed), so adding more has become a small question-raising thing these days. Kinda like buying a new book. Will I really read it? Will it be worth reading? Will it then be worth keeping around after I have finished? (sectioning off one’s time is one of the two big components to what I call actually growing up!)

For links on the left side, I tend to add anything that pertains to info security, including personal blogs of people who are in security but don’t always talk security. I don’t remove much unless it may be a blog that hasn’t been updated for 5 years or a site that is simply dead and gone. Other, lower links are things I find interesting or may find interesting to reference in the future.

I also don’t make a huge list of all the actual “news” sites out there. I try to get the important ones and the basic ones that end up giving me all the news I really need. Adding tons more just ends up with lots of sites all saying and linking to the same things.

sdl will save you money if you assume the worst

Posted on by michael

Robert Graham over at ErrataSec has a post in response to Securosis and Microsoft regarding secure development lifecycles. I’d have commented there, but they don’t allow anonymous comments…and I’ve been conscious to not browse around the web while logged into my usual account (something about correlation and tracking nonsense). And I look dumb posting as lvnewsreader. 🙂 So here’s my response:

Disclaimers: I’ve not thoroughly read the links Robert provided, so apologies if I sound dumb. I agree with everything Robert said in his post, so this isn’t really an argument so much as it is a situational “next-step.”

An SDL (or really any preventive security) really plays back into the great gamble of business; gambling with the risk of being breached or not (in whatever form).

But I think there *is* a case where prevention can demonstate a save of money: assume the risk of a breach is absolute. For Microsoft, I think we can safely say they will have weaknesses and thus patches to roll out. I’m pretty sure they can play the game of valuating the impact of those incidents, and probably spend on prevention and feel ultimately good about it. With Robert’s “sale” analogy, this would be the situation where your wife *was* going to buy that item today regardless of the sale, but she did actually save money (though possibly by sheer luck).

Assuming an incident is inevitable is easy to say, but hard to act on. Most organizations have years of no apparent critical security issues, and their mgmt will have a hard time accepting that suddenly the sky is falling. Just the same way many people think their home is secure, just because they’ve not witnessed someone wriggling the windows.

Side note: I really like Robert’s “sale” analogy. That’s actually a small pet peeve of mine. Sales aren’t meant to save someone money who is already buying something. It is meant to make a sale right at that moment that would not have been made anyway (or getting someone into a store to make other ancillary sales).

2010: the year you can’t avoid news on facebook and privacy

Posted on by michael

This post is just a small collection of related thoughts, mostly pulled from Twitter posts. I don’t consider Twitter something to re-reference later on, and a poor choice to save thoughts. Much of this is inspired by recent media-whoring about Facebook and privacy issues. A recent XKCD comic illustrates an aspect of my feelings about the subject.

I have a long-standing distrust of people and corporations in general, especially public companies. This is pretty much wrapped up in one of the more dangerous of the seven deadly sins: Greed. I turned away from Yahoo when they went public and started focusing more on money than on users. The same goes for my feelings on Google. Social networking is pretty much in the same boat.

social networks are the leftovers from the dotcom boom; the ones that got users (the first step). But they’re no more successful, yet.

The dotcom boom came with lots of interesting ideas, but busted when they were exposed to not be very viable as a business, and in many cases simply didn’t get enough eyeballs on their ideas (grocery deliver service? awesome! but not scaled up enough). There is still a latent boom-bust situation going on for the past 10 years in the form of social networking. Social networks and other “social” playgrounds online have garnered enough eyeballs (or clicks, hits, attention, whathaveyou) to survive despite having business models that are as shaky as anything from the actual dotcom boom. Sure, some of them can probably make money, but they certainly have to be careful to do so without killing themselves by driving away their users. How many people think Hulu or YouTube will still be relevant if they charge subscriptions? Or news sites?

(Aside: It’s funny how important these services have become to the Internet masses; how deeply they will defend them, but how detested they become when money is requested. Some may call users fickle. Some may say this is the essence of competition, since someone will always host things for free. But does that mean large centralized social networks are inviable and only smaller, self-sustaining, splintered groups can thrive? I’m sure there are parallels to be drawn with music, movie, and software pirating…)

Z[uckerberg] is doing web startups wrong. You make it free, get popular, get money, then sellout b4 privacy and a biz plan blow [you] up.

This is my opinion. If you can’t be viable in the long-term without lots of soul-searching and probably stepping on your own users, you’re probably better off building up your value and getting out while its high. Kinda like how Kevin Rose probably should have unloaded Digg.com. Or MySpace unloaded, or YouTube. If you found a company or site, get your user base huge, get your value up…you’re probably better off cashing out before it cashes you out. Zuckerberg should have gotten out by now before the house of cards started wobbling.

yes, zuckerberg, there is a simpler way to control your info. stop trying to weasel it out of people to support your business model.

This is part of why I distrust public companies, or companies that are looking (maybe desparately) for profit: They will do whatever they can get away with. No Facebook user should be surprised about Facebook privacy issues, or how Facebook tries to weasel around the issues and keep their access into your life while trying to make it look like they’re helping your privacy. They’re not. How else do you think they’re making money? Same goes for Google with searches and everything else they try to do. Invading your privacy is their business model. This has always been a business model, only these days we have very automated and highly technical and highly hidden ways of being victimized by it (networked appliances reporting back to motherships, what programs you watch, sites that index and analyze your information, search logs, tracking cookies, spyware, and so on…)

I dislike someone who complains about privacy when they dig or have dug themselves deeper into something like Facebook (either it’s important enough for you to do something about it, or it’s not important enough for it to chew up your energy and time to worry about). Or complain about privacy when they’re the damned owner of the damned site. Privacy is not hard. The hard part is maintaining the illusion of privacy while trying to maximize your penetration of it. (Kinda like getting that bar slut drunk…)