360 Security

I'm headed to the Secure360 Conference in St. Paul tomorrow and Wednesday. Despite the name, it doesn't have anything in particular to do with IP360 or nCircle. I attended this show last year and it was pretty valuable if you're part of the Twin Cities InfoSec community. Here are the sessions that look interesting to me and why:

Christopher Buse
Chief Information Security Officer, Office of Enterprise Technology, State of Minnesota
Building An Enterprise Security Program

In some ways, federal and state agencies are like large enterprises where the same problems are just harder to solve. You have more bureaucracy and no profit motive, which makes for some interesting challenges.

Anton Chuvakin
Chief Logging Evangelist, LogLogic, Inc
Application Logging 'Worst Practices'

This just sounds like fun.

Jay Cline
President, Minnesota Privacy Consultants
Project Plan for Data Inventorying and Mapping

Identifying and mapping sensitive data within an organization is a huge challenge. I'll be interested to see if Jay has any novel approaches.

Jenny Geisler
Principal Consultant
Governance and Ethics: An Overview

This has the potential to either be very very interesting or give me a chance to catch up on some sleep. There are some difficult questions to explore with governance and ethics, but you could easily have a presentation of the same title that studiously avoids all of them.

Ray Kaplan
Principal Consultant, Ray Kaplan & Associates
Spreadsheets From Hell - Measurements to Metrics

I'd rather see this presentation from a non-consultant, but it still has the potential to be informative.

Brent Lassi
Director of Security, Digital River, Inc.
Building a Culture of Security

It was this part of the description that got me, "resulting in a viral spread of security knowledge." Tapping into the socio-cultural mechanisms within an organization is a great way to get knowledge distributed.

Seth Peter
CTO, NetSPI
Payment Card Industry Data Security Standards Update

Always keeping up to date on PCI.

Gunnar Peterson
Managing Principal, Arctec Group
Building a Security Architecture Blueprint - A Strategic Approach to Enterprise Security

There's enough overlap here with Chris Buse's earlier presentation that I'll be interested to see how they compare.

Well, those are the sessions that caught my eye on the first pass through the agenda. I haven't checked out the schedule, so I've got no idea if I can actually attend them all. Maybe I'll see you there.

A couple of weeks ago I spoke at OWASP Toronto. My goal was to lead a discussion on building a web application spider... what you had to consider, pitfalls to avoid and so forth. I felt like it went fairly well, the discussion lasted about an hour and there was quite a bit of group interaction. I picked up some interesting things from the attendees and I'm hoping that they picked up some interesting ideas from me. At the end of the discussion, I was asked if I could make the slides and the sample source (for a very basic spider) available. So here they are.

PowerPoint Presentation
Simple Spider written in Python

Call me paranoid, call me what ever you like but if you are going to download software to my system please offer me the chance to review the ingredients before I click OK.  Ultimately, it would be nice to know what I am about to approve don’t you think?

I wonder if I am the only one that feels this way.  Major application and OS’s do a great job at offering this review before a user approves the update but such is not the case in the land of the Xbox 360 game console.  Sure you could argue that console gamer is not going to know a DLL from LSD but nonetheless, offering optional information about what the update is going to do for them is good form.   In Xbox360 land, you get a screen that looks something like this

and it would be great if the X or Y button gave you information on what was about to change on your system.  And while your taking down my feature request wonderful product manager of the xbox360, it would be nice to see the update history of the machine. 

Does the information exist?  Sure it does but you have to really hunt for it and I’m not sure all the updates have made it to the web.  For example, http://blogs.msdn.com/xboxteam/archive/2007/11/30/december-2007-system-update.aspx

http://www.xbox.com/en-US/community/news/2006/1030-novemberupdate-completelist.htm

From a security stand point, it just spooks me out when I approve an update to my system and have no idea what has downloaded or what has been modified.  The number of independent game developers for Xbox360/Xbox-live are taking off and Microsoft has a solid program.  Lets just say that things will start to get very interesting.

—tk

It looks like the PCI Security Standards Council has posted their update to Requirement 6.6 (available here). They have provided information above and beyond what I mentioned last week. They have also provided a great deal of clarification around Web Application Firewalls.

Some interesting notes:

• Reviews can be performed by qualified internal or external individuals. However, internal auditors should not fall into the same organizational unit as the developers.


• There is text that identifies examples of where reviews will meet or exceed the quality of Web Application Firewalls. The two provided examples are:
  
  • Security reviews of source code during the development process.
  
  
  • Testing for the presence of web application vulnerabilities either manually or via a specialized tool


• Testing must occur prior to the Web Application going live (Note: Of course this doesn't mean testing should stop there, on going testing is key. As Braden Williams put it today, "You have to MAINTAIN what is assessed")

Trey Ford has a great write-up and answers some additional questions that people may have... I highly recommend reading it.

I blogged earlier today about this story posted on The Register regarding Microsoft's promise to not sue or press charges against ethical hackers reporting flaws in their websites. It's been picked up by a number of people, including Ryan Naraine, Dave Lewis and LinuxSecurity.com.

I wanted to know more on the subject, so I decided to contact Microsoft directly and ask for official clarification (since I wasn't at Toorcon to hear it first hand). The response came from Bill Sisk, Microsoft Security Response Communication Manager. Bill had the following comment:

Microsoft did not announce anything new at ToorCon Seattle regarding its position on responsible disclosure, but we did mention our industry leading online services acknowledgement, which went public in July of 2007. Because we will not pursue legal action against researchers who report vulnerabilities to us responsibly, we hope to encourage those who want to help us protect customers to feel free to do so without fear of repercussions.

As we have done for many years, we continue to work closely with security researchers and encourage responsible disclosure of vulnerabilities in our products as well as for online services. If a vulnerability is responsibly disclosed, we will publicly credit the researcher for his/her assistance. We believe responsible disclosure serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the update is being developed. For additional information on how Microsoft credits researchers for responsibly disclosed online services security vulnerabilities, visit: http://www.microsoft.com/technet/security/acknowledge/faq.mspx.

So it looks like this has existed for a while, and has just been overlooked (or perhaps forgotten); either way, it's great to see that Microsoft has the FAQ available on their website and, as Ryan pointed out on SecurityWatch, has setup a page to acknowledge people who responsibly disclose vulnerabilities in online services.

There's an interesting story up on The Register from Toorcon. Since I wasn't at Toorcon, I can't confirm it, and I haven't seen any other stories that don't solely reference The Register's article.

Katie Moussouris, a Microsoft security strategist, told the crowd that Microsoft would not sue or press charges against ethical hackers who report security flaws in their websites.

This is a huge move in the right direction in my opinion. Web security is something that plagues almost everyone and it's good to see Microsoft making a move to improve their web security. Let's hope that more companies will follow Microsoft's move.

Let's also hope that Microsoft puts out something official on this subject, because so far... the only original piece I've seen is The Register's article.

If more comes on this subject, I'll be sure to blog about.

A couple of days ago Digital Bond posted a short blog post on Server 2008 Core. They had written about it previously and done a podcast (One of their partners is developing software to run on Server 2008 Core). One of the common themes for Server 2008 Core is the limited attack surface that it presents, as it essentially "console-only". Actually everyone refers to it as an OS without a GUI, yet cmd.exe is open as a window that you can minimize/maximize and you can run task manager, notepad, regedit and a couple of control panel applets, but close enough I suppose. Also when logging in you get "Preparing your desktop"... really all "GUI-less" means is explorer.exe isn't around. Also folders in C:\Users\administrator: Saved Games, Music, Pictures, Links, Favourites, Videos (etc). Alt+Tab still works as well (with a GUI showing you icons).

Anyways, in this Digital Bond blog post, they talked about how the decreased attack surface meant that out of the 25 security bulletins released by Microsoft only 4 would apply to Server 2008 Core. The problem with that? Only 4 of the advisories applied to Server 2008 at all... so Digital Bond has just said that Server 2008 and Server 2008 Core had the same number of patches.

As a side note the decreased attack surface for Server 2008 Core seems to really be on the client-side. I counted 20+ running services on a fresh install, including services like Remote Registry (which doesn't even run on Vista by default) are running on Server 2008 Core.

The four updates that affected Server 2008: MS08-021 (GDI), MS08-023 (ActiveX Killbits), MS08-024 (IE), MS08-025 (Windows Kernel Privilege Escalation).
The three updates that installed on Server 2008 Core: MS08-021, MS08-024, MS08-025.

So 75% of the patches released for Server 2008 also apply to Server 2008 Core... but let's think about this:

• Server 2008 allows you to disable metafile processing, mitigating MS08-021.


• Server 2008 has IE7 which has the affected ActiveX control in MS08-023 disabled by default and Yahoo! Music Jukebox wouldn't be installed on a server (unless you weren't using it as a server).


• With MS08-024 we're back to IE again... Why are you using IE on your server in the first place?.


• With MS08-025 this is local and credentialed, which generally implies insider threat.

So out of the 4 patches, only one isn't mitigated by practical server hardening... and that patch applied to both Server 2008 and Server 2008 Core. I'm not sure why Digital Bond was making a big deal out of "only 4 would apply to Server Core.", one thought might be they are pushing their partners product but a more likely thought is that they were saying *IF* (and that's a big, and useless if) all 25 bulletins applied to 2008, only four would have applied to 2008 Core.

[Disclaimer, I would never attempt to do this if I didn't think it was the only semi-plausible explanation for their report]
Well let's think about that... We can immediately eliminate all the Office patches (Common Sense: You don't install Office on a server). That leaves us with 15 / 25 (10 are pure office only). Out of these 15, we know that MS08-025 existed, and MS08-002 was also privilege escalation and it affected lsass (which exists on Server 2008 Core... So that gives us 2 / 13 / 10 (possible, undecided, impossible). We also saw that the IE patch was installed... so let's accept that one all the way across. That's another 2... bringing us up to 4 / 11 / 10. We know that GDI was installed... that's 5 / 10 /10. I have confirmed that wscript exists (even though it is 5.7... let's follow the rules and include it as a "possibility")... that's 6 / 9 / 10. There are two TCP/IP and one AD, so we'll include those... that brings us to 9 / 6 / 10. Now IIS exists on Server 2008 Core, so we'll have to include those two bulletins. That brings us to 11 / 4 / 10. Now the ActiveX Killbits update wasn't installed -- 11 / 3 / 11, and that leaves us with WebDav Mini-Redirector, OLE Automation and DNS Spoofing. DNS Spoofing we'll put on the yes side... 12 / 2 / 10. Web-Dav redirector I'll assume doesn't exist -- 12 / 1 / 11 and OLE Automation... well the DLL exists in Server 2008 Core... so I'll go yes.. 13 / 0 / 11.

That means that *IF* we had taken this approach to determine the size of the attack surface (which means assuming vulnerable versions of software which don't exist on Server 2008), that 13 out of 25 Bulletins would have applied.

So in the end, I'm not sure how Digital Bond came up with 4... however I'd love it if they shared their process. Does Server 2008 Core have a smaller attack surface... theoretically, however I'm not sure if the attack surface is any less than that of a properly hardened and maintained Server 2008 install. In fact, as I pointed out earlier (with Remote Registry) in some cases it's less secure than previous versions of Windows. This doesn't mean people shouldn't use Server 2008 Core, they should just make sure they have a full understanding of what's happening in their environment and not take advantage of Server 2008 Core as an alternative to hardening their server properly.