Information Security: Why we Fail

The very first word seems to be our downfall. Information. If we don't have all of it, we have already failed. So suppose you are in a sizable organisation. Suppose that this organisation has grown inorganically over the years.  You have a problem, and that problem is that there is no single authoritative source of information about your environment.

Now as a Security Engineer or Penetration Test how can you protect that environment from compromise? The answer: you can't.  At least not until you rectify this problem first. The simple fact that is often overlooked is this: it takes only 1 machine being compromised for the situation to spin out of control.  If your knowledge of your environment is incomplete and there are systems your security team is not covering because they don't know it exists, you have failed. It is a matter of when, not if, you suffer a serious breach.  you can secure all of those other hosts on the perimeter, and it will amount to nothing. The host with SQLi in that subnet you never knew about will let the attackers in. Then they are on a trusted machine somewhere in your environment, and their possible avenues of attack are countless.  Hgiher ups within the organisation will demand answers "Why didn't we catch this problem before? Why are we paying you people".

So here's the point of my rant: If you are an org that is attempting a major Information Security initiative, make sure you equip your security people with the Information they need. If it isn't available, then you need to apply some breaks and fix that problem before anything else.

1.  Identify all of the systems in your environment and where they are. Chances are you're going to find systems that should have been decommed years ago. There is an instant monetary savings for you when you shut them off, as well as a positive step for Security.  
2. Document all of these systems. What they are, who owns them, etc. Keep this documentation up to date going forward
3. Identify roles and responsibilities of those systems, and segregate portions of your network appropriately. Implement proper access controls between these segregated environments. If you worry about PCI compliance, this is a MUST.
4. Now set your Security people to work. Deploy Vulnerability Scanning solutions, arrange Penetration Test Engagements, implement an SDLC, etc.

If you try to skip these first three steps, you will fail. I guarantee it.

Ligatt Security Breach - Gone too far

The latest development in the Gregory D Evans/Ligatt Security internet drama has gotten me thinking. For anyone who might not be familiar with what this is all about, I suggest you check out a few resources on the subject:
http://attrition.org/errata/charlatan/gregory_evans/
http://www.theregister.co.uk/2010/06/22/worlds_no_1_hacker/
http://packetstormsecurity.org/news/view/18569/Gregory-D.-Evans-Tried-To-Subpoena-Security-Researchers-Passwords.html
and a must read at: https://365.rsaconference.com/blogs/securityreading/2010/06/10/how-to-become-the-worlds-no-1-hacker

In case you buy any of Gregory Evans' claims that he had permission to use those works, Chris Gates also known as carnal0wnage has publicly said that he never gave Evans permission and never received money from Evans. The saga is long and drawn out, and I won't rehash it here.

The latest development is that Evans and Ligatt Security were breached this week. Someone compromised his computer, and with it his email and twitter accounts. It seems two of his websites may also have been brought down as part of this attack. The simple fact of the matter is that this action was unacceptable. Apparently among the released information was the personal information of a lot of innocent people, including social security numbers, bank accounts, and routing numbers. Now let me clarify this even more. Even if it was only Gregory Evans personal information, this would be unacceptable. Mr. Evans has a lot to answer for, but even he does not deserve to have his important personal information exposed in such a manner. This can be seen as nothing more than a violation of people's rights to privacy, no matter how much you might not like them. Those of us who are security professionals have made it our jobs to stop or prevent such violations from happening. The thought that such an attack may have come from within the InfoSec community is a worrisome one.

I will admit in a moment of human weakness I allowed myself to be glad of this news. That is a terrible thing, and upon reflection I find it a little embarrassing. The Internet has a power to take any disagreements or arguments and magnify them out of control until all pretense of civility is slowly eroded away and we are left with a monstrosity that no longer serves any purpose but to sustain itself. I see the examples of this in the recent Penny Arcade 'scandal' as well as the Ligatt drama. If we are past the point of behaving like mature rational beings it is time for us to absent ourselves from the discussion. Toward that end I would like to point out the posts I have seen by two people Matt Jezorek and Sam Bowne. Their articles are well thought out and examples of clear rational thinking, despite Sam Bowne's own involvement in this saga. These are the people we should want speaking for us, and those of us who can add nothing better than what they already are(myself included) should probably just sit down and shut up now.

That is all.

Dear Mr Haywood, Welcome to 2010

There has been some controversy over the recent rise in bug bounty programs. One response was issued by Anthony Haywood, CTO of Idappcom. You can find his article here. I read this article in disbelief at some of the 'points' espoused in this article. I will avoid the more mundane trollings  of the article and try to stick to the salient points.

At Idappcom, we’d argue that these sorts of schemes are nothing short of a publicity stunt and, infact, can be potentially dangerous to an end users security.

This is the crux of his argument. It is 2010, and we are still hearing the Security through Obscurity argument touted as a valid security strategy?

One concern is that, by inviting hackers to trawl all over a new application prior to its launch, just grants them more time to interrogate it and identify weaknesses which they may decide is more valuable if kept to themselves.

If a company is already at the phase of it's security evolution where it is attempting bug bounties, it more than likely has an SDL in place. This SDL should include rigorous review, source code analysis, and even penetration testing by an internal security team. Nobody is suggesting that a company should rely solely on bug bounties to find it's security flaws. Intimating that this is happening is a red herring and this statement is  a classic example of FUD in action. Mr Haywood is essentially saying "If you let hackers see your program before your customers get it, they will be even more likely to find ways to abuse it". First of all, to my knowledge these bug bounties do not include distributing pre-release versions of code to hackers on the Internet. It is simply a way of incentivising security researchers and/or hackers to responsible disclosure by offering monetary award for their contribution. Mr. Haywood, hackers are already going to be trawling all over these applications. A bug bounty is just trying to bribe them to giving what they find back to the vendor.

Which ties into my second point: what;'s the difference if they see it now or later. If a company did what you're suggesting, there will be a portion of people who may well hold back the information to use after release. There will, however, also be legitimate security researchers who will turn over what they find, which will likely overlap with the findings of the malicious sorts. This increases the chance that the vendor will be able to issue a fix before going to release. Explain to me again, how this is dangerous, or negative in any way?

The hacker would happily claim the reward, promise a vow of silence and then ‘sell’ the details on the black market leaving any user, while the patch is being developed or if they fail to install the update, with a great big security void in their defences just waiting to be exploited.

Yes some malicious hackers will try to do evil, but us good guys will likely find the same things and report it. Your statement seems to imply that anyone looking over the code would be malicious. Frankly, I find this insulting. I have turned in numerous vulnerabilities to vendors without any promise of reward even. I have gone full disclosure in the event that my attempts to elicit a response from the vendor have failed. The same can be said about any number of small time folk like me, never mind people like Tavis Ormandy, Michal Zalewski, HD Moore, Jeremiah Grossman, Rob Hansen , etc.  You seem to be taking a pretty broad shot at the security community in general, with statements such as these. moving on.

Sometimes it’s not even a flaw in the software that can cause problems. If an attack is launched against the application, causing it to fail and reboot, then this denial of service (DOS) attack can be just as costly to your organisation as if the application were breached and data stolen.

I'm not even sure what point you are trying to make here. Yes there are Denial of Service vulnerabilities out there. What does that have to do with your argument at all?

A final word of warning is that, even if the application isn’t hacked today, it doesn’t mean that tomorrow they’re not going to be able to breach it.

That's exactly right. That is why a continuous security program needs to be in place. Security needs to be a factor from project conception, through the development lifecycle, all the way past release. Testing needs to be done continually. A bug bounty is a way of crowd sourcing continued testing in the wild.

IT’s never infallible and for this reason penetration testing is often heralded as the hero of the hour. That said technology has moved on and, while still valid in certain circumstances, historical penetration testing techniques are often limited in their effectiveness. Let me explain – a traditional test is executed from outside the network perimeter with the tester seeking applications to attack.

Wow. You take one possible portion of a penetration test, and say "this is what a penetration test is" while ignoring all the other factors at play.  An external only Black Box pen test may go like this, but there are many different way to perform a pen test, depending upon the engagement.

However, as these assaults are all from a single IP address, intelligent security software will recognise this behaviour as the IP doesn’t change. Within the first two or three attempts the source address is blacklisted or fire walled and all subsequent traffic is immaterial as all activities are seen and treated as malicious.

If you are really really bad at performing penetration tests, this may be true. A real penetration tester will pivotwhenever possible. Since we are specifically talking about AppSec(that's short for Application Security Mr Haywood) this becomes even more relevant. In pen testing web apps it is extremely easy to disguise yourself as a perfectly normal user. A standard IPS is mostly ineffective in this realm, and WAFS are notoriously hard to configure in any meaningful way that does not break a complex application's functionality. Also, remembering that we are talking AppSec, a good pen tester will probably have proxies he can flow through. So if an IP gets blocked, he just comes from a different IP.

I was a little perplexed by this strange attack on penetration Testing. Then I found this article:

Idappcom seeks to displace penetration testers

Where you claim that your nifty little appliance will somehow replace penetration testers. So we can read your entire position as "don't trust manual testing, buy our product instead". Hardly the first time we've seen such a tactic from the vendors. Let's take a look at this for a moment though. Will your appliance detect someone exploiting a business logic flaw? will it shut down an attacker connecting to a file share with an overly permissive ACL? will it be able to detect multi-step attacks against web applications? Will it really notice a SQL injection attack, and if so how does it know the difference between a valid query and an injected one? These are the sorts of questions that present the burning need for manual human review on a repeat basis.  no matter how hard you try, you will never be able to fully automate this. Actual humans will always find things a program can't. Let's move back the the techjournalsouth.com article though.

 Instead you need two and both need to be conducted simultaneously if your network’s to perform in perfect harmony:

   Application testing combined with intrusion detection

Congratulations, we have all been saying there is no magic bullet for a long time. However, you present only two layers of defense in depth. application Testing and IPS by themselves are not enough. You need a full Security Development Lifecycle. You needs firewalls and IPS systems that are properly configured and audited on a regular basis. You need policies governing change management, and configuration management. You need proper network segmentation and separation of duties. You need hands on testers who know how to tear an application or system apart and find the weak points.

Intrusion detection, capable of spotting zero day exploits, must be deployed to audit and test the recognition and response capabilities of your corporate security defences. It will substantiate that, not only is the network security deployed and configured correctly, but that it’s capable of protecting the application that you’re about to make live or have already launched irrespective of what the service it supports is – be it email, a web service, anything.

First of all, see some of previous points about IPS/WAFS and protecting against web application attacks.  Secondly, let;'s talk about your 'zero day' protection. This protection is only as good as the signatures loaded into the device. I could write an entire book on why signature based security mechanisms are doomed to fail, and i would be far from the first person to speak at length on this subject. For some of the high points just look back at my posts with Michal Zalewski about the anti-virus world. I'll leave it there.

While we wait with baited breath to see who will lift Deutsche Post’s Security Cup we mustn’t lose sight of our own challenges. My best advice would be that, instead of waiting for the outcome and relying on others to keep you informed of vulnerabilities in your applications, you must regularly inspect your defences to make sure they’re standing strong with no chinks. If you don’t the bounty may as well be on your head.

Yes, and one of the ways you inspect these defenses, is to have skilled people testing them on a  regular basis. Relying on a magic bullet security appliance or application to save you is irresponsible and foolish. Don't buy into vendor FUD.

Special thanks to Dino Dai Zovi(found here and here) for pointing out this article.

Moving on and Moving Up

The inevitable has happened. I am leaving my current job, and moving on to a new company. I am very excited about this new opportunity. The company I am going to work for seems like a great place to work. However, this will be the first time my family has moved to a location where we don't know anybody. We will have no friends and no family there. This is the part of this field that isn't so great. Jobs tend to crop up in very specific places, and you have to be ready to pick up and move in order to not lose a great opportunity. It was a hard decision to sacrifice all the personal reasons to stay in favour of all the professional reasons to move. We have family, and friends here that we love very much. We like this area after being here only two years. My children will no longer be able to see their grandparents so often. However I will be moving to a larger, more mature company, in  a great area. The team I will be working with is full of very bright people who take this work very seriously. Even more importantly, the members of my new team know lots of things I don't. I will be working to learn a lot from them, and that is something I am eager to start doing.

Robert Khoo over at Penny Arcade said something in one of their tv episodes, that has stuck with me since. He told a potential employee "To be successful at something, to be like the best of breed at something, means you make sacrifices.I would say nine times out of ten, that means your social life, and that is how you get amazing at something." I think that this is extremely true. Nobody ever got to be the best at something by putting in the same amount of effort as everyone else. You get to be the best by putting in more effort than everyone else, and working as hard as you possibly can. I don't know if I can ever be the best at what I do, but I won't stop trying until I am. I have a long way to go before I can be the next RSnake, lcamtuf, or Tavis Ormandy. The best part of being in this field is that those very people I wish to be better than, will help me along the way. It may not be in a big way, but each of those three people have helped me grow already. Each of them have even taken the time to reply to emails and blogposts.  These are people who will honestly share ideas and knowledge. That, more than anything else, is what makes this field great. So look out guys, one day soon you may be reading a white paper with my name on it. In the meantime I just want to say thank you to all of you, as well as Mark Russinovich over at Microsoft, for taking time out of busy lives to answer a few stupid questions from somebody you've never heard of...yet.

Training courses - Nerd steroids

A few years ago when I was trying to break free of the more mundane trappings of IT, I decided to take some certifications. I began with compTIA and took my Network+ and Security+ exams. Imagine my surprise when these certification exams took me no more than 15 minutes apiece to ACE. They were so easy it became embarrassing to tell people that i had bothered to take them. I have considered many times going for my CCNA and CCSP but never gotten around to it. I am now in the process of taking a 10day course from infosecinstitute. This course is actually comprised of two courses jammed together into a single bootcamp. I am doing the online version of the course, unable to get my company to buy in for the additional costs of actually attending a physical class. these courses are centered around the CEH, CPT, and CEPT certifications. I am not very far into the first week of material and I am starting to get that sinking feeling again.

I don't want to bad mouth infosecinstitute and it's training...at least not yet. However, the entire first day was essential an introduction into using vmware and linux. They do this because they want to be able to cater to people who might not have experience in those areas. My question is, what are such people doing taking courses on pentesting? If you don't know how to set up a VM, or how to kill a process in linux, you've got a long way to before you can be a pentester, and it is going to take a lot longer than two weeks. This is where the steroid analogy comes in. People seem to approach these classes as a quick fix, rather like steroids. "If I take this class, i will learn to be a 1337 h4x0r".

DarkNet has a post about training courses right now too. In it he talks about how the CEH is pathetic(I am inclined to agree so far) and then talks about a few other courses/certs. Frankly speaking, these look much the same as every other one I've looked at. They seem tantalizing at first, then you realize it's the same recap bullshit and you learn nothing new.

 Let's give up on steroids guys, and start thinking about some workout regimens. I want to see training courses out there that say outright "If you don't know what the different kinds of vulnerabilities are, or if you don't know how to find SQL injection, xss etc...don't take this class" Let's have some classes that start with "So you know how to find some vulnerabilities, let's talk about advanced techniques, and things you never thought to try before". Let's talk about how you maximize your extraction from a SQL injection, or what things work in Oracle or in MSSQL, or U2, or Sybase etc. Let's talk about some advanced encoding tricks, and how to pack javascript to get around filters. Let's talk about writing shellcode to try and exploit in a buffer overflow.

I am tired of having to rehash the same crap over and over again. Then I read what things RSnake or someone else is up to. I stop and think "hrm, what are they doing differently than me. What do they do better than me. Why?" I want to see training courses that answer those questions. I want something that says "okay, you're a pentester. now let me show you how the big boys do it"

Anyways, that is my rant for the day. Stay tuned as I am going to be working on putting together a bit of a SQL Injection cheat sheet in the coming weeks. I hope to have something comparable to RSnake's XSS cheat sheet and a lot better than the other ones I've seen.