{ Security Wannabe }

If you’re curious about social engineering and want to dig deeper, check out HeadHacker.net, a new blog about social engineering, hacking, hypnosis, mentalism and influence by Dale Pearson.

Dale is kicking off with a blog series explaining the basics. His latest post on hypnosis makes interesting reading as it dispells some common myths that I’ve even heard information security professionals recite as fact….

I look forward to reading more, as Dale is a no-nonsense type of guy and does his homework.

What Linux specific software would you consider has arduous and scrutinising source code security reviews?

Aside from “the kernel”, you might have said the Linux firewall: Netfilter.

The title of this post is a quote from a suprised Linux Netfilter team member, in response to a bug report from Florian Westphal.

Florian noticed that non-privileged users could add/delete/modify Ethernet Bridging ACLs, actions normally restricted to the system administrator.

Can I Haz Evil Client?

To exploit the vulnerability, you need a custom client. The official ebtables utility won’t let you abuse the bug as it makes a privileged call for a raw socket (SOCK_RAW) long before calling the vulnerable kernel code. Since SOCK_RAW requires network admin capabilities (CAP_NET_ADMIN) normal users Do Not Pass Go.

To become a link layer $DEITY, an attacker could remove the privileged calls from the stock ebtables client or write a small program that just calls the vulnerable netfilter kernel routine (do_ebt_set_ctl).

Where Did I Put That Check?

The side effect of that earlier SOCK_RAW call was unintentional auditor misdirection. If you audit the client code – without referring to the kernel code – you completely miss the bug.

This “slap on the forehead” bug is an excellent reminder that when we review “systems” for security weaknessses, we need to evaluate related components, aswell as their interactions (“intended vs. actual”). If we don’t, we’re only looking at half the picture. This approach doesn’t just apply to code audits though: its equally valuable during real-world process audits.

Although a surprising omission, there is no suggestion this vulnerability was caused by premeditated client side security. That happens when misguided developers embed security checks solely in the client, often in the belief that no-one is as smart as they are. Vulnerability databases tell a different story.

What Can Developers Do About It?

An effective avoidance strategy for this type of bug is for developers to externalise their assumptions through the development of test cases (comments in code are nice, but give me a test case anyday). Test cases embody developers intentions and in the process, help keep the gun from the developers feet.

(via: CVE-2010-0007: Linux kernel netfilter ebtables Missing Check)

Image credit: bommelmützenkind

Update: McAfee investigation points to IE zero day. This finding makes my point for me.

In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer. We informed Microsoft about this vulnerability and Microsoft is expected to publish an advisory on the matter soon.
[…]

While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.

I’m intentionally keeping my commentary on this issue brief (there is already enough).

The attack vector against the Google corporate network is reported as an email with an attached PDF backdoor; i.e. the exploit relies on a security vulnerability in a local installation of Adobe Reader.

Google is web services. And they regularly remind us that they “eat their own dog food” by relying on those same services to run their business.

Google’s vision is the world run ChromeOS, a thin OS with just enough capabilities to plug into, and interact with, Google Services.

Google’s arch-enemy, Microsoft is about software (and now software + services). With a historical stranglehold on the endpoint, it’s hard to do business without running MS on at least some endpoints.

Google must be running Adobe Reader on something. I suspect – but I don’t know – that this is Windows.

How ironic is it that internal use of their rivals’ thick client desktop software (as the underlying platform) and 3rd party software – the very antithesis or the Google philosophy – was the key enabler in the breach?

(yes, web services and browsers introduce their own security issues)

There’s no suggestion so far that Microsoft software was at fault. The culprit appears to be Adobe. But “sophisticated” post-exploitation pivoting and data exfiltration software doesn’t just drop out of thin air. Nor does the implementation of stealth features. This stuff takes time to develop and embed. Sure, post-exploitation code exists for other platforms but APT consistently targets Windows based Corporate America. What was it Dr Geer (et al) warned us of?

If you were Google, what software would you mandate for employee endpoints now?

In 2010, I will:

Put my RSS reader on a Crash Diet

I don’t know about you, but seeing ‘1050 unread items’ in my feed reader does not fill me with pleasure. Instead, it starts to feel like “yet another inbox”. I don’t need another one of those :).

As of yesterday, I’ve switched from 500 feeds to about 60. This is my loyalty vote for bloggers I admire/respect and a reflection of an “essentials” only attitude.

I’m going to miss some stuff, but what’s the worst that could happen? Twitter makes up for some of the ground, but ultimately, I’m not going to lose any sleep over this. I hope it leads to me getting more out of my feeds. If you do the same and end up unsubscribing from this blog (shock, horror!) – no hard feelings – I’ll send the free suitcases of money somewhere else ;)!

I’m aware of other ways to remedy feed overload (Postrank, Yahoo! Pipes etc) but for now I’m keeping it simple.

To keep high volume information security and global news sources out of my feed reader, I’m using Netvibes. I’ve set this up with a single page containing key sources – in a multi-column overview page I can scan incredibly quickly. Netvibes will be closed unless I’m actively checking it.

Reduce my Dependence on Google

Google offers some very seductive services for free. They “just work”, are easy to use and efficient. I know, as I use a ton of them!

I’m increasingly concerned at the amount of the web and web experience that Google owns. This isn’t news in some ways and in the past I accepted the trade-off. My primary concern is protecting my privacy, rather than security.

It will be painful to transition away from Gmail and will take time.

For search I am switching to Bing.

Right now, I’m using Chrome (for performance reasons) to run Gmail and Google Reader – that’s it. Firefox for everything else.

Get off self-hosted Wordpress

Wordpress is featureful blogging software with a pretty featureful security track record (!). I like technologies that are low maintainance and don’t leave me wide open to automated threats and/or script kiddies. The Wordpress team are slowly making security improvements to the codebase and I’m grateful for my use of the software, but I don’t want to feel “dirty” running PHP in 2010 ;-) Oh, and Wordpress plugins are even worse from a security perspective than Wireshark plugins. Tip: If like me, you tried and failed when googlng “secure blog software” et al, you’ll appreciate the search term “static website generator”. As regular readers will know, I’ve already switched this blog to Webby and it’s great – no dynamic code, no security worries. For my needs, Webby is excellent.

Compartmentalise my OSX Applications

I love my MacBook Pro and I like OSX. But I know it is less mature than either Windows or Linux from a security perspective. Apple does ship OSX with a program sandboxing feature, but it’s only turned on for a handful of applications. I’ve created a sandbox profile for Firefox on OSX and plan to do so for other apps that take inputs from untrusted sources. This will be an on-going process, both in terms of policy tweaking and applications contained.

Minimise my Browser Attack Surface

This is related to sandboxing, but more about attack surface reduction than containment. I created a new Firefox profile and installed just 3 plugins; for ad-blocking (AdBlock Plus), Javascript and plugin control (NoScript) and password management (1Password). I can still run the full-flavour Firefox is for some reason I need to but this is no longer my default. Whilst this does nothing to eliminate Firefox vulnerabilities, it does reduce the exploitation opportunties. Plus, Firefox is damned fast again now! Do you really need all those add-ins?

Switch Gears with Twitter

I’m a fan of twitter and don’t feel the need to apologise for it.

In the past year, I have gained enormously by following and interacting with smart security peeps (and others outside of my infosec world). It’s lead to collaborations that would have either been slower to happen otherwise, or simply would not have happened. However, it can be challenging in terms of attention management.

I’ve recently switched to using NutshellMail as a short term measure for periodic, timed delivery of incoming tweets by email. This immediately reduced task switching as I can close my twitter client without fear of missing out (or leaving the client running and getting sucked in).

This approach probably won’t work for you if you use twitter for conversations. I don’t as I simply find it too clunky. I do interact though and I don’t want to lose that in the process. I will be less “real time” but 4 hourly intervals is good enough for me.

The other benefit is “inbox reduction”. Now tweets come via a single email to my personal inbox. I don’t have to “look somewhere else”. Not just Twitter, but Facebook and LinkedIn (although not Groups) too.

---

I plan to post more as I make progress on these items. I welcome your feedback.

All the best for 2010.

What happens when a bunch of us Europeans get together at Brucon and decide there isn’t enough European security podcast action?

The Eurotrash Security podcast" is born!

Here’s the blurb:

We will start with a monthly podcast, featuring (European) guests from the Infosec community. We aim at providing a technically inclined podcast that will provide both offensive and defensive topics and hopefully some pretty good discussions on a plethora of subjects.

The podcast is co-hosted by Wim Remes (@wimremes), Chris John Riley (@chrisjohnriley), Dale A. Pearson (@daleapearson) and myself (@craigbalding).

We recorded Episode 1 earlier this month and saw a couple of hundred downloads in the first few days (which came as a pleasant shock).

If there is a topic you’d like to hear featured, a european security practitioner you’d like interviewed or anything else, drop us a note.

In iTunes, click Advanced→Subscribe to podcast and drop in this link

The Economist recently ran a piece describing 3 possible recovery shapes for the global economy.

… But the more interesting question is what shape the recovery will take. The debate centres around three scenarios: “V”, “U” and “W”. A V-shaped recovery would be vigorous, as pent-up demand is unleashed. A U-shaped one would be feebler and flatter. And in a W-shape, growth would return for a few quarters, only to peter out once more.

What struck me was the resemblance these shapes have to the response and recovery phases of real world computer security incidents. The shape says a great deal about the relative maturity of an organisations incident response capabilities.

V

The organisation has a well defined plan for rapidly responding to incidents.

Incident responders are clear on their mission, are empowered, equipped and well practised.

Key operational assets are identified and have well defined recovery procedures that are regularly tested by the IT team.

The defenders maximise their home advantage through building visibility in to help them quickly identify intruder activity and determine the extent of a possible breach.

Emergency contact procedures and numbers are regularly proven.

The network can be reconfigured dynamically to enable only “mission critical” internal and partner traffic during a severity 1 security incident (without bringing down the business).

IT teams are able to prove elements of system, application and data integrity against known, trusted baselines. Where this is not possible, recovery from trusted media is not only possible, but practised.

Discoveries about intruder methods and preferences from system and network forensics directly feed into build standards and monitoring systems. Vulnerability assessment checks are quickly updated and key assets rapidly scanned and remediated as appropriate to close open doors known to be preferred by intruders.

Sharing of threat intelligence with peers in the same vertical is the norm rather than the exception. Secure communication methods are already in place and the limits of such communication clearly defined in advance.

Post-incident procedures include root cause analysis driven by an experienced facilitator who either directly leads the change activity or hands off to someone with sufficient leadership to do so.

This organisation can continue core operations during an incident, can quickly recover and is able to bolster defence and detection rapidly to block or reduce the impact of repeat attacks from known groups.

U

Aspires to be a V organisation but fails to hire sufficiently experienced individuals to rapidly respond in the right direction.

Lacks management conviction and understanding about the true nature of today’s threat.

Fails to properly identify ancillary devices relied upon by key assets thus under-performs when it comes to recovery time.

Intelligence from forensics is partial and not fully acted upon. Intruders persistence mechanisms are discovered piecemeal and co-ordination between defender groups is only partially effective.

Some information sharing with peer organisations happens but its effectiveness is muted by managements teething concerns around trust and competition.

This organisation recovers from the attack but the process is painful, tiring and more expensive than it needs to be. The impact of the breach is bigger and probably not fully quantifiable.

The CISO survives by the skin of his teeth. His best people will leave if they don’t sense real appetite for change. They won’t want to go through that experience again.

W

This type of organisation hires in the IR talent on demand though outside contractors.
These hired hands are true experts – experienced, sharp and responsive.

The problem is they can’t possibly understand the business context. Nor can they wrap their arms around a large enterprise network in a highly compressed time-frame. They are handicapped by the lack of rapport they have with the various interest groups across the organisation, relying more on the power vested in them by senior management.

They do bring impressive tools and techniques to bear and impress some of “the locals”.

They work 24×7 to contain the intruders but are hampered by a lack of nimbleness in other teams they rely on to make changes to infrastructure. They foresee this (they are not new to this game) and circumvent where they can.

They stop the bleeding.

The patient – in the form of senior management – “feels better” again. Then management start weighing up the costs of having them around.

The consulting firm is kept on retainer but the star players are moved on to the next client site to fight the next fire.

But the intruders come back: better tooled up, more resourced and significantly better informed about the targets internal network.

The organisations management suddenly finds itself back on the incident response roller coaster heading downhill fast.

The consulting all-stars will be brought back on-site as soon as they can be freed up and will eventually succeed in regaining control. But the recovery costs are at least double, the breach costs are likely more than double (the intruders had time to optimise their data extrusion methods) and the organisation still doesn’t have a sustainable strategy.

But, they may stand the best chance of bypassing the U shape completely as they’ve now been burnt twice and its cost them considerably. They also know what the right talent looks like. They may even poach from the consulting company…

Which leaves just one question: how many V style organisations do you know?