Doing it Wrong – Uncryption of the Enterprise
Doing it Wrong (DiW)
Jay Jacobs and David Meier
Dave: First I'd like to take this opportunity to say "Hi!" to all three SecurityStallion readers out there. I know things have been a bit sparse since September last year but that's changing in 2010. The Digs are back and there's also some new article formats we're going to be throwing around. So with that lead in I'd like to welcome the infamous Jay Jacobs. Jay is one of the more realistic security practitioners I've had the chance to work with (albeit indirectly) and I'm pleased that we can do this type of spot together respectably titled: "Doing it Wrong". But what is this and why should you care? Over to Jay for the explanation...
Jay: Dave and I have had many discussions on various topics and "doing it wrong" stuck out as a title because that's what I kept thinking about Dave and I think Dave kept thinking about me. These posts should reflect that mutual respect. I also like the title, not just the initial Ha-Ha-ness, but also because it reminds me that we learn best from mistakes. If I would have gotten Sendmail working right away, I might not be able to spoof email with telnet. Realizing I'm doing it wrong means that I may be able to fix it. I look forward to challenging my way of thinking here.
Dave: Seriously Jay, you're still using Sendmail? That's a whole other DiW I guess! But, back to the meat: Uncryption of the Enterprise. So what does that really mean? Well, I've been around the track a few times (from a consulting perspective - it's really just like NASCAR, left turn, left turn, left turn...) and I tend to get riled up when things in the enterprise, that should be encrypted, are being tossed around the network, well, unencrypted. In fact often times when I bring up the fact that maybe those NTP updates should be encrypted or that OSPF adjacency is left ripe for the picking, or even FTP still being used as a primary transport facility in very, very, very large enterprises! WTF people? W-T-F? The best (and oft heard) excuse by far has to be from a monitoring perspective: "well then we can't see what's going on". The simple answer to that: if it's important enough to encrypt (PII, authentication data, sensitive information, etc...) and you don't have access to a point where you can extract, or view that data in flight - then maybe, just maybe, you shouldn't be privy to said data in the first place. I know, this might be a real shocker, but just because you're sitting in the SOC or NOC doesn't mean that because you can control the data flow that it's implied you should be able to read it. Encrypt if you have it, right? Jay? I mean, really, why not?
Jay: Yeah, I was still using Sendmail on my 286, but decided to upgrade for Y2K. Encrypt if you have it? There's a saying around cryptography, encrypting data is easy, it's the decryption that gets you. It's really easy to sit on a high horse (or Stallion, Dave) and say that everything should be encrypted, it's a whole different ball game to actually do it. As soon as data gets encrypted, a key is created, and then two things happen:
- Auditors flip to a new tab in their spreadsheet because a whole new set of controls around cryptography and key management must be understood, or at least implemented. Most IT folks, rather than view this as a development opportunity, see this as just more ways to screw up, which leads to...
- The typical IT admin gets a glazed look on their face and a mad rush ensues to find someone else to dump this crazy "encryption" on. Normally intelligent people all of a sudden look like their being asked to captain the Titanic on her maiden voyage.
These two things are exasperated by overly-protective frameworks and compliance controls that treat all the keys like they are dipped in gold then encrusted with diamonds. Generally speaking, a key is just a long password (with a few caveats). So, while encrypting NTP is a no-brainer in theory, in reality the key management in the products stink and nobody wants to sign a form saying that they understand and accept their key custodian responsibilities (thanks for that one PCI).
Where to Fix (WTF)
Dave: I can see Jay's point (to a degree). To manage keying (as a process) and the keys themselves is a complex undertaking in large organizations. Fundamentally, however, encryption is a component of the enterprise. The task is simplifying it where it can be simplified. Use it as it was meant to be used: to keep things private. And don't, I repeat, don't use it as an afterthought or add-on unless there is no other option. If encryption wasn't designed into your system of systems from the beginning adding it after the fact usually buys you as much improved posture as the hunchback of Notre Dame.
Jay: That's the rub, nobody is capable of designing encryption in because everyone does it differently, people should get together and make some type of open and interoperable key management protocol. Because rather than simply saying everyone ought to turn on encryption everywhere, I think it's more appropriate to say that we need to focus on the support structure to implement encryption. Something like meetings once a week, "Cryptos Anonymous" I'd call it, where normally well-adjusted admins show up and say, "Hi, I'm Jay and I'm a key custodian". Either that, or a well defined key management governance structure with tools to back it up. Then we can start talk about encrypting the world.
Dave: "Encrypting the world" - <sinister laugh>Mua ha ha ha hahhhhhh!</sinister laugh>
Daily Digs – 09.14.2009
Well, "daily" has been more like "weekly" as of late, but the digs are back.
I think this one is good on a few fronts, but mostly from a humorous perspective. Joe Lieberman and Susan Collins should stick to whatever they do best - and that doesn't include addressing "cyber crime". They're proposing a public / private relationship so that the government (really?) can help them defend against attacks. OK, didn't the FBIs website just get defaced recently? Unless the blunt plan is to put up some sort of subsidy (which I'm not at all endorsing) the government is just going to spin up more useless programs that are run by people who just-don't-get-it.
[Committee Examines Growing Cyber Threat to Businesses]
[FBI Jobs Site Gets Hacked]
Unique is not random is not secure. I'm not sure that's a complete sentence, but it sums up the article on Newsoft's Tech Blog rightfully. For a run down of examples on the differences in the three concepts hit up the link.
[Unique is Not Random is Not Secure]
The Consumerist ran a story this morning with video from LiveLeak on a man installing a skimmer. I'd have to say that I'm definitely more cognizant when using ATMs that are non-bank affiliated and portable. At one point in time I really didn't like ATMs that sucked the card into the machine, however today it makes sense as less risk to me.
[Guy Installing Skimmer on ATM]
I can honestly say I really didn't know much about 'RNS' before I read this article today, but the Fed seems to have cracked down a few of the key members. I'm not sure why the title references RNS as an '0Day' group however.
[Fed Crackdown on 'RNS' Signals Death to Oldest 0Day Group Online]
Don't have the cash or time to go to one of the big name cons? ChrisJohnRiley posted an article about the first online hacker con entitled SecurityTubeCon. There's a call for papers (& vid) out until October 20th, so get your talk ready to go!
[First Online Hacker Conference]
That's all the time we have for comments tonight, but we'll leave you with some other links to ponder. Thanks for stopping by!
[Windows Autoplay Behavior Updated]
[Gustav, the Hackerspace Twitter Bot]
[Loan Officer Indicted for Fraud and ID Theft]
[Dradis 2.4 Released]
[PhoneCrypt is Available for the iPhone (and entirely overpriced)]
[20 Temporary / Disposable Email Services]
[Hacker's Hideaway ARP Attack Tool Released]
[SourceFire's Vulnerability Report for September Screencast]
[Practical Intrusion Analysis Book Review]
Daily Digs – 08.10.2009
Monday, bloody Monday. At least we're in the clear! Some interesting news as of today so with no further announcements let's dig right in.
Our first link is for a tool distributed, for free, from Sophos: Anti-Rootkit software. It's recently been updated to support 64-bit versions of Windows and the upcoming Windows 7 (which, let's hope, brings the majority of Windows users into the 64-bit world). No black-tie release event for this version, but at least Sophos is still putting it out there for "free".
[Sophos Anti-Rootkit Updated]
If you're in the Minneapolis / St. Paul area and you're in, well, pretty much any field you've probably heard horror-stories stories of United Health Group. If we haven't had enough reasons to hate on UHG they're giving us a new one apparently! Let's see here - they're not only selling the marketing data but also mapping risk ratings for health and life insurance purposes. Way to go UHG! You get my swift-kick-in-the-ass award for today. If you can, do business elsewhere, UHG seems to treat their employees badly on top of the shady business practices.
[Your Prescription Data Has Been Sold For Profit]
Next up is some new functionality that will probably find it's way into Metasploit. Max's Remote-Exploit blog has all the details on 'psnuffle' including a screencast of the functionality. Jam out to the techno beats while you watch the module in action!
[Psnuffle Password Sniffer]
I'm all about the Verizon Business Data-Breach Report. That being said I think big vendors / carriers generally have over-hyped and under-performing security services in general. Hopefully the security service doesn't share any of the service provisioning speeds that generally are, shall we say, not break-neck? Anyway, if you're into hiring a big firm to do your due diligence for you Verizon can offer it on a silver-platter with a bill to match I'm sure.
[Verizon Business to Offer Risk-Based Security Service]
I happened to post this one earlier in the day and it got quite a bit more attention than I had expected. The RedTeam blog has some Gimp pwnage fun that shows you how to embed some sneaky PHP in a GIF. That and @hdmoore pointed out to me some extra fun to go along with the 'sploit. Double whammy!
[0wning with Gimp]
All your base are belong to... Committers? Sure. Or just go patch Subversion if you haven't already!
[Holes Closed in Subversion]
One of the more prominent elite when it comes to OS X hacking: Dino Dai Zovi has posted to his blog a new article all about, you guessed it, rootkits! This goes with his recent Black Hat talk and includes the preso, paper and code.
[Advanced OS X Rootkits]
So you want to speak at RSA in 2010? Well, you better get in gear because the call for proposals is quickly coming to a close.
[RSA Call for Speaking Proposals Due August 14th]
SANS has a rockstar intro up to memory forensics today. The write up includes looking at Mantech MDD and Volatility (which we've linked previously). If you're just getting your feet wet in forensics this quick run through definitely won't hurt!
[Memory Forensics: A Practical Example]
I asked myself a couple weeks ago this very question: "Why in the **** is the .NET Framework Extension installed in Firefox?" and now I have a fabulous answer. Wladimir Palant, of Adblock Plus fame, has a very thorough write up with linkage to other articles in the press. If you use Adblock, you'll want to read this. Microsoft up to their shady shenanigans - again.
[The Return of .NET Framework Assistant]
Tsk tsk, reinventing the wheel is BAD. Especially when dealing with crypto. And doing crypto in JS! Don't believe me? Well, you don't have to take my word for it, but how about going back to the link to Nate Lawson's "Crypto Strikes Back!" Google Tech Talk and you'll understand why. The devs themselves even say it's only a "base level of security" (uhhh, there's no auth), so why not just save yourself the trouble and avoid it?
[jCryption 1.0 Released]
Fortinet is, apparently, going for the gold. And in this case "gold" being public shares. El Reg has a story up regarding the rare happening.
[Fortinet IPO]
Put this link out in mainstream C-Level inboxes and you'll have all kinds of heads rolling on Tuesday afternoon. SANS has a post up about the consideration of renewing your A/V solution. If you're not a complete security n00b you probably already knew that A/V is a waste of CPU cycles and whitelisting, not signature based blacklisting, is the only way to really go forward in today's shikata ga nai world. Duh.
[Don't Renew that Antivirus Contract]
Looks like DHS is in the tubes these days. Obama has another catastrophic fail on his hands with the latest being Mischel Kwon putting in her resignation to (shocker) go work in the, much higher paying, private sector. Maybe if I tweet The Prez he'll mention me on Facebook and we can talk about it over Skype later. Or how about this: maybe stop trying so hard with the communications outlets and focus on doing and not talking for a few months. Because, we all know, Cash for Clunkers is really helping out!
[Mischel Kwon Resigns]
We end todays string of ranty-posts with the exclusive in-depth that Tom's Hardware has posted of Charlie Miller on the iPhone SMS exploit. Check it out, I was slightly tickled when I saw reference on the first page to AT commands. GO GO GADGET MODEM!
[Exclusive Interview with Charlie Miller]
We commented all the good articles today so, don't hold your breath, no grab bag for today!
-windexh8er
Daily Digs – 08.03.2009
Welcome to the 3rd production of Daily Digs here at Security Stallions! It's been a long weekend with a relatively active Monday. We've got a slew of links for your enjoyment with almost-short-as-a-Twitter-update commentary to go along.
First of all I'd like to say that knowledge sharing is the key to >80% of what I've learned in the security industry. From the simple cases where I'm tipped off via a quick blurb on Twitter or all out full-disclosure, you just can't beat community sources. That being said Russ McRee has a great post over on HolisticInfoSe.org about his and Mike Bailey's talk around CSRF. Although Russ mentions vids in the post he didn't link them, so I did a bit of quick digging and found them - just for you. Hit up the links for more info.
[CSRF: Yeah, it Still Works]
[Netgear CSRF Attack Video]
UCSniff's authors Jason Ostrom and Arjun Sambamoorthy also presented at DEFCON 17 this year. The tool, which was previously only available via BackTrack3, has been more recently released as a SourceForge project with some significant new featureset. Another one for the toolbelt!
[UCSniff - UCS Attack Tool]
There's an article up on Silicon about CEOs needing to be less negligent with regards to security. Very true, so if you like to chase the rainbow the article can be had below.
[Optimistic CEOs Must Not Neglect IT Security]
Ryan Naraine is one of the first to break the story on ATM skimming at DEFCON this year. He goes on to tell us how Chris Paget of Google got scammed for $200 when debiting his account. Note to all: get your cash at a reputable banking institution (i.e. where ATMs are built into the wall of the bank), in a casino, or somewhere else security of money transactions would be extremely high.
[Fake ATM Skimmers Found in Las Vegas Hotels]
Do you know what Ippon means in Japanese? Well you better -- it's "game over", and it's the name of a new tool for exploiting automatic updates. Yes, this isn't anything earth shattering in terms of the base exploit, however the methods the tool can "win" at the game of insecure updates are pretty kick ass. Read more about it over at the following TechRepublic blog post.
[Automated Updates: May Not Be Such a Good Idea]
File this one under the category of "About Damn Time" and you have Mikko Hypponen dropping news of Twitter starting to inspect and reject malicious URLs. Although the article doesn't mention it Twitter is actually using Google's Safe Browsing API. It's a (slow) start, but at least it's a start!
[Twitter Now Filtering Malicious URLs]
There's an interesting post by Susan Brenner over at CYB3RCRIM3 about whether or not we should reconsider the notion that companies under attack are prohibited from investigating the attackers and trying to locate them.
[Private Cyber Investigators]
Addonics announced an inline hardware encryption solution for most any SATAI/II type drive system. What's great about the design is that there's also a removable cipher key to unlock operation of the unit and it is also small enough to be mounted in a 3.5" drive bay. The CCM35MK1 is also NIST and CES certified.
[Versatile Hardware Encryption for any Computer]
Although not directly related to security, but big news none the less, VoloMedia has somehow received a patent for podcasting. Really? Who works in the patent offices? Surprisingly, this hasn't been on many people's radar judging from Twitter activity today. Slightly odd considering everyone and their brother seems to have a podcast these days!
[Company Receives Patent for Podcasting]
And tonight we'll leave you with what will, from now on, be referenced as the grab bag. News that's worthy of reading, but we just didn't have time to comment on.
The links for the grab bag tonight are as follows...
[Hacking Surfpoint Terminals]
[DEFCON Air Traffic Control Hack]
[High-Security Locks Defeated]
[Opensourc3 Magazine Publishes First Issue]
[PayPal Suffers Outage]
[5 Tips to Stop Staff Snooping]
As always, thanks for stopping by and comments are always welcome!
--windexh8er
Tags
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | |||
Random Musings
Twitter: windexh8er
- @jamesonstudios KC9DXC. Have fun! :)
- @jamesonstudios I've had it since 2000. ;) Can haz stomp on your unlicensed freqs!
- Thinking I have one of the fastest/most resiliant/expensive networks ever at the lake. More than 20 components of just network gear so far.
- Now that's a nice wireless transport link to have running... http://twitpic.com/2ke7th
- A handful of Python & Arduino books that look like good reads on pre-order - glad to see books catering more to HW hacking lately!