I just finished reading a recent post to Dave's mailing list. I started to respond from my personal account on-list, and then decided that this one was better posted on the blog.

As the blog has become more widely read, I've struggled with some of the editorial responsibility - we've got a very opinionated team, and some people often say things that others may not like.

Druid's post to the list really irritated me. To answer some of the questions from the post:

> Makes me wonder why they /continue/ to use 'stuff' from
> Immunity when they seem to have such strong feelings
> against your company.

Simply put, "we" don't have strong feelings against Immunity. Personally, I'm a fan of what Dave has done, and, as should be obvious from my own post on the "morally reprehensible" topic, I've talked to Dave about all of their products - VSC, CANVAS, etc. I'm even a regular reader of the mailing list.

However, it seems obvious that not all members of our team feel the same way and I (for one) am perfectly happy with having spirited debate. I brought up Mary Ann's comments because I found them interesting. This issue can be debated either way, and it's an interesting one.

> Perhaps Byron Sonne (bsonne@) isn't in a position to make
> that decision, which leads me to wonder what
> level of PR clearance is required to post to
> the company blog. (:

This is the real point that I wanted to make here.

It's a blog - no PR clearance is required. None. At all.

I'm the one who is responsible for editing the blog, and I'm not going to play thought police here. I won't allow anyone to post anything illegal or discriminatory, but I also won't censor opinions that I may disagree with.

How good would the blog be if I had our PR team editing everything we said? It wouldn't be real, it wouldn't be true, and I doubt anybody would care to read it. I know that I wouldn't want to read a "corporate" blog that was nothing but a bunch of marketing-speak.

At nCircle, we encourage people to have opinions and speak their mind. Even if those opinions are sometimes unpopular. It's what makes it a place that people want to work.

I'm not going to play thought-police with our blog - if I did, would you ever trust anything that we say here?

> Otherwise their stance on the issue holds no merit.

Again - it's not "OUR" stance. It's Byron's stance. I may not agree with what he has to say, but I defend his ability to say it - it's a valid point in an interesting debate.

One thing I feel is often overlooked or not given enough emphasis is consistency. It is seen very much in data gathering and statistics. For example, the consistency of ‘x’ happening can show us trends that ‘y’ may be a cause of error. Consistency in a dynamic, ever-changing world and field...in some ways, it sounds like an oxymoron. How can something be consistent, the same, in a changing environment? So how about consistency as a chance of stabilizing these ever-changing variables.

We, as humans, realize that structure is important, actually, a necessity. Life itself, without order is chaos. Templates, models are made as a starting point, an instrument for consistency. While I am not saying that there is a severe lacking in consistency among us, I emphasize that WE can ALL improve on our consistency.

By being consistent in our work, we are not only able to better determine source of errors, we provide easier solutions. For example, in the IT field, we are able to update and maintain our database easier if our work is consistent throughout. Scripts, programs, codes, all rely on consistency. It is through commonality that programs and scripts are made and exist to begin with. In the end, nothing is ever fully consistent; it would be perfect in its uniformity, and nothing is perfect. All we can do is continue to strive towards this perfection, decreasing the deviation by improving our consistency. After all, as Murray easily put it: Consistency IS quality.

Every month we look forward to it ... the 24 hour adrenalin rush that sums up why we do what we do. You may be as disappointed as we are that this Patch Tuesday is different.

There will be no all-night War Room. There will be no Hunt (sorry void) poking fun at the Crazy Canucks over a Conference Bridge. Oh, there will be coffee, but it's just not the same.

Instead, there will be Byron turning out detection for 3 local Windows vulnerabilities while quietly rumbling about his love/hate relationship with network printers. There will be TK on the phone, doing his best Mike Murray impression with reporters looking for something interesting to shape a story. There will be Sheldon writing one blog entry and putting his daughter to bed tonight instead of 'seeing her tomorrow'. Other than that, there will be a team of brilliant engineers finding other things to work on.

Thankfully, we're in the detection and profiling business rather than discovery. Looking through this month's bulletin, I couldn't help but imagine how many hours were spent at eEye discovering this months' whoppers. The CCSO (Chief Common Sense Officer) in me sent strict instructions ages ago to turn off my preview pane in Outlook, but Lookout!! Now it's official.

Sorry to disappoint, but this is not your average Patch Tuesday.

Don't despair ... there's always December 13th, and we'll be here.

Make them every day!

To be brutally honest, it makes me sick to see everyone come out of the woodwork to make his or her predictions for the next year. Are you volleying for one ups man ship? Do you somehow think that your once a year estimate for the next 12 months will provide true insight to someone else?

In order to pull yourself out of the quagmire of reaction and move into pro-action (is that a word) you must estimate the next move at each and every turn. Don’t make predictions just once a year…make them everyday, every hour and every minute.

Anyone who hasn't should read Byron's latest blog entry. This, and the contrast with Jay's entry is the beauty of allowing people to share their opinions.

The fact is (even on a team of 20 people) we're divided on issues around worms, exploits, and responsible disclosure. And we exist as a microcosom of the security industry - this industry is incredibly divided over who is truly the evil in the industry.

And there are certainly people who agree with Byron - one need only read Slashdot to see that. There are many in our industry who believe that instant disclosure with live exploits is the only form of responsible disclosure, because it enforces corporate responsibility.

There are others who take the other side - that no exploits should ever be posted publicly. They believe that this is the reason that security holes are exploited. Many governments and law enforcement agencies take this position.

While I'm loathe to talk about my personal position, I will say that I don't agree with either exreme - I think that we need to find a way to walk the middle road.

However, the beauty of having a forum like this is that we can encourage the microcosm that we are to enable discussion in the real world. Because these discussions need to be had, and people need to come to real answers and realizations beyond their opinions.

That only happens if we have real discussions about it.

The hardest thing about running a blog is making sure that you don't censor it. If you do, it starts to read like a marketing-driven website, and it loses its raison d'être.

The difficulty is when things cross the line from good-natured, controversial debate, to genuinely offensive content. This is, above all, a place for exchange of ideas and thoughts. Some of those ideas and thoughts are going to be controversial, and tread on topics that some people might not like. Those things, we will always continue to discuss.

However, when the discussion moves from ideas to bashing other people in bad taste, then the reason to keep the discussion going seems a little harder to defend. And, for once, we had to pull some content which was found to be offensive by a few of our readers.

For those who were offended by that content, I apologize. Please feel free to email me if you have any questions.

I believe that blogs are most appealing when they offer a greater transparency into an organization and its people. Blogs go well beyond what is formal and more toward a conversation you would have over a cup of coffee or a beer depending on your personal preference. In the spirit of this transparency, I’d like to share with you something personal to me.

I recently turned 41 years of age; I could not help but reflect on all the things I have learned and how much more there is to know. This obsession with learning has always been a part of who I am but only recently have I started to understand why my ways may be not so… conventional.

Since March of 2001, I have been the CTO for nCircle. Prior to that I was with Cisco, Morgan Stanley, and Broderbund Software. But before this career in technology, I was a professional musician, and before that, an auto-mechanic. My point is that early in my life, I had a strong addiction to learn and found what I needed in music, science, auto-mechanics, amateur radio, and so on and so on. You might be thinking: Wow, with all of this drive for learning, TK must have done well in school. What is TK’s educational background? It used to be that I would shy away from this topic because in my role as CTO, people with PhD’s and very impressive academic accomplishments surround me. While I have a deep respect and admiration for their academic degrees, I no longer shy away from this topic and let everyone know that I never attended college, dropped out of high school at age 16, took my GED exam and got on with my life. Right or wrong, I never regret it for one second. Free from the rigid structure of our educational processes, I have been able to develop a transdisciplinary way of learning and viewing the world.

The term interdisciplinary has been overused but it does describe the additive use of knowledge from several disciplines to confront a problem or to form a new understanding. Transdiciplinary is a meta level above interdisciplinary and is best described as a way to find the patterns and the differences that make a difference by taking the epistemologies from each discipline to drive inquiry. I know that is a mouthful and for this conversation, it does not matter that you understand the details. It is important that you understand how one might fall in to the trap of “fitting in” at the expense of true learning. Your genuine interest and inquiry in to something that does not map well to an academic program or discipline does not invalidate the subject matter.

My father must have seen this in me at a young age because I got the talk that went something like this: “Son, if you continue to be interested in everything, you will grow up to be the ‘jack of all trades and the master of none’.” I was confused because in my mind I could not understand how you could be the master of any discipline unless you had the context and understanding of all the other disciplines. For me to understand the music, I needed a better understanding of biology or math. The list goes on and on.

While I do understand that the disciplinary fragmentation is the result of increasing specialization, I will never understand why people think that problems can be solved within the same discipline that it was created. Just because the content is new and up-to-date does not mean that the presuppositions or premises of thought upon which all our teaching is based is current. Essentially, the reductive and disjunctive way of thinking brought to us by Descartes and others will not serve us well as we try and “solve” problems in complex systems. This I assert is why we cannot go about the information security problem of the large enterprise in a reductionist manner.

I will conclude with a few crazy statements. The answer to renewable energy may exist in the mind of the rain forest; the answer to an enterprise architecture may exist in the ecosystem of the coral reef; and the answer to information security may exist in philosophy and anthropology. Even if it doesn’t, in our exploration, we will be learning and that makes me look forward to many more birthdays. Here’s to growing old, having less hair, and being transdiciplinary.

I'm sure many of our readers are well aware of the Metasploit Project and the Metasploit Framework, recently the founders of the Metasploit Project started a blog (http://metasploit.blogspot.com/). This blog is filled with useful information and interesting insight from the members of the Metasploit Project. What really makes this interesting is the most recent (at the time of writing this post) blog entry on their site, Exploit Development: GroupWise Messenger Server by H.D. Moore.

H.D. takes you through the development of a new module for the Metasploit Framework. Starting with the initial advisory posting, he takes you through finding the software, and walking through the vuln step by step. He takes you through all the steps using Windbg and some of the scripts and tools included with the Metasploit Framework.

The reading flows and it's fairly easy to follow, some knowledge of assembly would definitely be helpful but even without you should be able to work your way through what is happening. It's definitely worth checking out.

14 years ago, I made the move from a desktop computing environment to a mobile computing environment. The lure of always having my complete work environment available to me at any location. It had me hooked and over the years I would continue to purchase faster, smaller, and lighter machines. The ideal consumer, I spend hours researching and many thousands of dollars buying the latest and greatest in mobile computing. Staying productive was the name of the game and there wasn't a place on earth where I felt without my creative tools.

My computing "habit" over the years required more connectivity, more memory and storage, and all these dimensions hit a critical point for me in July of 2006. My mobile computing timeline from 1992 to the present:

Apple PB 100
Apple Newton 110
Apple Emate
Apple Powerbook 140
NEC Ultralite Versa V50
DEC HiNote Ultra II
DEC Hinote Ultra 2000
Toshiba Tecra
SparcBook
HP200 LX
HP320 LX
Palm Pilot
ThinkPad A22
ThinkPad T40
Apple Ti-Book (400, 667, and 1.2M)
Danger Sidekick I (black/white)
Danger Sidekick II
Danger Sidekick 3
Apple MacBook Pro 2.16G dual core

I thought that my last purchase, the Apple Macbook Pro would propel me to the next level that I needed in computing. This was my first multi-CPU mobile computer: 2G of memory, 120G of storage, and all the connectivity options available. I thought I had once again satisfied my needs and concurred the requirement to be tied to a powerful desktop computer chaining me to my office. I was wrong.

The MacBook Pro is hot (literally and figuratively). Sure, it was the first revision and I am a demanding user with compilers going in the background, lectures or music going via mp3 or mpgs, MS Office applications open, multiple browser windows, IRC, IM, and H.264 video conference clients, ssh sessions to remote servers, skype, to name a few but that is just who I am and how I remain productive. The main obstacle now is screen real estate, heat, and runtime with the latter two being my biggest concern.

I was in a downward spiral. My computing needs ran the unit hot, Lithium-Ion batteries hate being hot (shortens their life), and like my batteries, my hands hate being on a hot surface typing for hours. Either I needed to change my computing behavior or I would have to ask mother nature to change the laws of physics. I thought long and hard about the total system and all of the cybernetics circuits: the human, the CTO, the computer and subsystems, the applications and services I required, and all of the infrastructure that make up the larger system. I mapped it all out and came up with a plan that would requires change on all parts of the system but would yield results that could not be achieved with the prior strategy.

With this new strategy, I travel with less weight doing from a pack that averaged 20 pounds down to 10 pounds. The biggest and more welcomed change was that of runtime. My full-size keyboard computing device gets 500+ hours on 3 AA's -- I am no longer a slave to power-outlets! When I am not mobile, I am a part of several desktop environments which have no problem bring well resourced.

My mobile arsenal consists of:
Danger Sidekick 3
Iomega Mini Flash Drive
AlphaSmart NEO

The Sidekick 3 offers me the always on connection and has an ssh client as well as all the main apps for IMAP-SSL, IM and a browser;
the Iomega Flash Drive has my presentations for when I am speaking at a customer's site or a conference;
the AlphaSmart NEO gives me a full-size keyboard text processor that weights less than 2 pounds and runs 700 hours on 3 AA's. If you see my blogging rate go up, it is because of this wonderful device. This device is completely zen.

This is my new setup and it seems to be working out well. I need another 3 to 4 months before I can claim victory.

--tk

A report does not bring the user meaning, a user brings meaning to the report.
--tk

Years ago, I worked at a company that had 5 people in the same department named Tim. I couldn't stand the confusion so I changed what people called me to 'TK' and have been going by 'TK' ever since.

I did an interview with a reporter a few weeks back and as always, I introduced myself as Tim Keanini but told him that I go by 'TK'. He said "Oh, that is cool". I said "What's cool?" He said that editors have a term 'TK' which means 'information to come'; it is used as a placeholder. For example, a reporter or journalist may write something like "Spending on compliance products are likely to increase by TK% over the next 3 years". Not being familiar with the term I asked to learn more. He said that it is deeply imbedded in to their language for example he may get a voicemail from his manager saying "The TKs for the article 'Bogus Security Spending' are due, we need them now!" We did the interview and I filled in TK's TKs. :-)

I thought it was awesome that 'TK' held this particular meaning and it got me thinking about the larger context. It seems that every domain has their chosen placeholder variable name. This would be a great thesis for an ambitious anthropology major. tk, foobar, john and jane doe, stubs, these placeholders are everywhere and what a cool project to map how the names of these placeholders take a different form in categories of class, gender, ethnicity, etc

This is my 'TK' posting of the week. :-)

This is just a short heads-up... Tomorrow is listed as the official release date for Mozilla Firefox 2.0. However, those of you that want to play with 2.0 Final a little early can browse through their release directory and grab it now.

Specific Versions

Windows
OS X
Linux

Enjoy.

Lately, I've been more and more interested in malware analysis... I've been gathering viruses I receive and watching how they operate inside VMs. Due to this interest I've added more blogs to my seemingly never-ending list of RSS Feeds... Today a very interesting one came across the wire. Sunbelt Software had a blog posting announcing the official launch of CWSandbox. I must say, the software looks pretty damn cool.

Essentially the malware that you submit is executed in what I'm guessing is a VM environment. The software operates by injecting itself in a manner similar to how malware injects itself and has multiple means of protecting against detection by the malware. CWSandbox then monitors the file system, registry and other applications along with network activity and extracts important data (FTP or IRC login data).

One of the more interesting things is that the analysis continues. If I upload Malware A which then extracts or downloads Malware B and Malware C, CWSandbox will follow both of those applications and their execution to see exactly what they do.

In order to test this software, I went with a variant of the Stration Virus. It's something that I've followed previously and taken a look at a bit in the past ( Links to information I've posted on the subject: 1 | 2 | 3).

It initially took a few attempts to upload the malware. Every time I went to submit it, my AV would step in and wipe the file, so I was constantly being returned to this report. I knew something was off because the file size was reported as 1 byte. I finally put the malware into a VM and had no problem submitting it. The time from submission to the email of the analysis was about 3 minutes... This was fairly impressive. Although I wonder if perhaps the quickness of the analysis would cause them to miss anything that is time delayed or if they wait until all the processes finish their execution.

I had the option of receiving the analysis via email in either text or html. I opted for the html version which is essential what is presented on their website if you punch in the id to the ViewMalware page ( Example: Stration Sample - ID 3247 ). When you visit the page, you then have the option of downloading a Cab file and the Analysis in XML. The cab file contains the xml analysis and also a series of logs (process info) and mappings for each of the processes that ran, including a collection of dat files, which I assume are the files that were touched by the malware (they are stored in proc_X (where X is the number of the process) folders and inside those the dat files are in a created_files folder).

For each process you receive a detailed list that includes (where applicable):

• Parent ID


• Process ID


• File Name (CWSandbox creates the file as .exe when you upload it)


• MD5


• Start Reason (The initial upload was AnalysisTarget, all others seemed to be CreateProcess)


• Termination Reason (I saw timeout and NormalTermination as two of the possible reasons)


• Start Time


• Stop Time


• Detection (Results from Various AV Software: Authentium Command AV, BitDefender AV, Microsoft Malware Protection and Norton AV)


• DLL-Handling


• FileSystem ( Files Created, Files Opened and a Chronological ordering of the actions)


• Process Management ( Command line execution and which user executed them)


• Mutexes (Created Mutexes)


• Registry (Displays Reads, Enums and Creation/Open)


• Service Management (Services that were touched)


• System Info (In this case it was Get System Directory and Get Computer Name


• User Management (Get User Name requests, User Impersonation)


• Network Activity ( DNS Lookups (with resolution), UDP and TCP Requests)

One thing to also note is that you will receive different messages if you're uploading something that has been seen previously vs a file that they haven't analyzed before. One will give you a direct link to the previous analysis, the other will tell you the file has been queued and you'll receive an email when the scan is complete...

While I had some frustration at first due to the previous results coming up, after I realized what was happening (reading instead of just quickly clicking the link), I was rather impressed.

I can see plenty of practical purposes for this product... and the fact that they do have it freely available makes it a nice addition for any research... I definitely give it two thumbs up.

This is just a quick update... Ubuntu 6.10 has been released. While it is not available via ShipIT (6.06 LTS only), you can download/buy it.

Those of you with a previous version of Ubuntu installed (say 6.06 LTS like I was running) can very easily upgrade with no hassle and no need to download and burn the ISO.

It's this simple:

• Press Alt+f2
• Type in gksu "update-manager -c -d" and press Enter
• While it will tell you about updates available, at the top it will say that 6.10 is available -- Click 'Update'
• Wait while the update proceeds, if you've added 3rd party apt sources, you'll get a message saying it has disabled those sources
• After the package lists for 6.10 are read you'll get a message saying how many packages will be installed, added or removed, you have to verify this to continue
• Now the install actually continues -- In my case I have 1876 packages to fetch

That's it... wait for the install, enjoy a cup of coffee and then experience the new system. To give you an idea... My update is listed as taking around 1.25 - 1.5 hours.

Enjoy.

Microsoft Windows NAT Helper Components (ipnathlp.dll) 0day Remote DoS Exploit

The exploit requires Internet Connection Sharing to be enabled and requires that the attacker be on the shared interface (from what I’ve seen in my playing thus far, the Windows Firewall was disabled).

Malicious Person — Computer with ICS — Internet

I ran Windows Updates on an XP SP2 machine immediately prior to testing this… so it *SHOULD* have been fully up-to-date

I’ve attached a few of the details below.

——

Microsoft Error Message:

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

View What’s in this report:

Error signature:

szAppName: svchost.exe szAppVer: 5.1.2600.2180
szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e

---

This is currently being tracked by SANS ISC

Happy Halloween

Either folklore or fact, we all enjoy recounting horror stories. We probably have all heard about the broken coffee cup holder support call or the one about the guy who couldn’t turn on his computer despite a power outage in the neighborhood. In honor of this festive day, allow me to add two tales to your anthology.

Misguided efforts

The first day at my new job at a previous employer, I spent some time reading the IT FAQ entries. The first (and most popular) question:
Q: "My CD ROM is broken".
A: "Contact IT immediately, CD ROMs aren't permitted at this company".

Coming from predominately creative software development companies prior, you might imagine my aghast reaction. I asked the IT director about this. He responded that CDs aren't permitted because they create an avenue for viruses to enter the network and more importantly are a method for persons to copy and take the company's intellectual property. The punch line - every single person had full and unaccounted access to anything on the Internet.

Sir, your data center is a new swim center

One part of the security triad is availability. Due to some local or state regulations, many datacenters are still required to maintain water sprinklers for fire suppression. The work-around is to install a double interlocking dry-pipe sprinkler system. In these systems, the water pipes are dry and fill only in the event of a real fire. The value is that your data center is spared a deluge in case of a mistake. That's not always the case.

A software development company in northern California had no pre-action system in their data center. One day, the plumber was called in to repair a pipe to a bathroom located near the server room. He fired up the torch and began working. Seconds later, smoke and fumes hit the detector. What he had next was about 3 inches of standing water inside a 1,000 square foot data center. Everything soaked, many days of downtime.

After my blog postings on Sunday, I’ve received some feedback that my recommendations may be confusing to those outside of the Security Research field. It’s not always easy to write for all audiences in a single post – particularly in the blog space – so here is some clarification for those who have questions …

With the introduction of Windows XP Service Pack 2, users were blessed with some new firewall and Internet connection sharing (ICS) features. Its important to note that even though these two features interact and share some Windows API Firewall code, they are configured separately. Due to the recent ICS vulnerabilities discussed here on our blog, it is probably best to review your personal and enterprise settings regarding Internet Connection Sharing. To that point, both enterprise and home users can easily choose to disable ICS without disabling the Windows firewall.

Our friends at ZDNet seem to think that disabling Internet Connection Sharing turns off the Windows firewall. It’s also rumored that it’s really easy for a home user to inadvertently turn off the firewall while disabling ICS. Lets have a look.

Step 1: Open your Local Area Connection Properties. Click on the Advanced Tab.

We see two very distinct configuration areas – Windows Firewall and Internet Connection Sharing. The screen shot shows the default settings, that being ICS is turned off by default. So, that is to reason that if you HAD turned on ICS, you probably know how to turn it off. Which brings us to our second step.

Step 2: Ensure the checkbox is NOT selected for “Allow other network users to connect through this computer’s Internet connection”

Step 3: Click OK and probably best to reboot.

Result: In three steps, I’ve turned off ICS and did NOT disable my Windows firewall.

Enterprise Configuration

Enterprises looking to mitigate their risk for the Microsoft ICS vulnerability, should consider deployment of a few group policy settings.

These settings are discussed in detail on Microsoft’s technet site.

Prohibit use of Internet Connection Sharing on your DNS domain network determines whether computer users with administrator accounts can enable and configure Internet Connection Sharing (ICS) on network connections on your domain.

Prohibit use of Internet Connection Firewall on your DNS domain network determines whether computer users with administrator accounts can enable and configure Internet Connection Firewall (ICF) on network connections on your domain.

Prohibit installation and configuration of Network Bridge on your DNS domain network determines whether computer users with administrator accounts can enable Network Bridge on your domain.

Now, once you’ve gone ahead and disabled ICS from a group policy, a user lacks the ability to alter the settings. In the below screen shot we see our user has no access to the ICS configuration settings.

I hope this clears things up.

I wanted to share the below chart that Tyler provided to me. These are the results of his testing this vulnerability in our own lab over the weekend.

* Internet Connection Sharing Disabled/Enabled means the box is checked or not checked
* Windows Firewall Enabled/Disabled means it's set to On or Off
* Service State is the (Windows Firewall/Internet Connection Sharing Service)
* Interface describes which side of the network the attack originated from (LAN being the "inside" and WAN representing the "Internet Connection" side)

The end of a calendar year is upon us. True to human nature, when we anticipate a cyclical restart, something innate causes us to reflect. Backwards reflection is often the most comforting…reflection to a time perceived “better”. Allow me to reference two evergreen documents everyone should read.

RFC1855 Netiquette Guidelines

http://www.ietf.org/rfc/rfc1855.txt

A most interesting read if you’ve never seen it. Circa 1995, an eon ago in Internet time, this informational memo still holds water. Discussed are etiquette guidelines for Internet communications. Unlike typical RFCs, the protocols discussed aren’t those of SMTP, HTTP or other, but of human interaction. How best to communicate in groups and individually online.

Read it, print it and hand it out to friends and colleagues.

Horses and Barns: Evolution of Corporate Guidelines for Internet Usage

ftp://ftp.intel.com/pub/papers/horses.ps

Presented at LISA in 1993, this is a story presented by Intel employees and their struggles with discovering, setting and enforcing Internet usage. It’s an interesting historical account with some important key lessons as highlighted in the paper:

#1 Research Policy Issues.
#2 Consult with users and stakeholders on policy decisions.
#3 Make the policy available and readable.
#4 Get key people to buy into a policy. Better yet, get some kind of official stamp of approval.
#5 Forms with signature loops are a way of making sure that people are serious about wanting something. It is also a way to inform key parties of change and get their buy-in.
#6 Provide metrics on usage and quality of service.
#7 User education is critical
#8 Create explicit and enforceable policies
#9 Policy transitions can be hard, especially when you have to take something away.
#10 Policies exist to serve. They should be changed with circumstances warrant.

A few days ago, I did a interview podcast with Mike Murray for his Episteme.ca site.

Mike is doing some interesting things and I love that he sees the entire techno-social picture of our industry.

What does a term like Episteme have to do with security and risk management? Everything. :-)

episteme
n : the body of ideas that determine intellectually certain
knowledge at any particular time

--tk

The evolution of the network appliance reflects corporate personnel management.

Mike Murray noted the other day on his blog:

“And, unfortunately, these appliances are actually beginning to do the opposite of their original promise - as enterprises organize their security infrastructure to automate patching and ensure availability, the proliferation of different appliances actually adds to TCO - we're spending more time managing our appliances than our actual infrastructure.”

Full disclosure, Mike is a good friend and ex nCircle employee. So when I say Mike failed to note the human characteristic of his findings, he’ll take it on as a challenge.

Absolutely, there is an appliance for just about every management need – compliance, configuration, patching, etc. Mike misses the corollary. Enterprises like building silos of control. We see it in technology and it’s mirrored in personnel practices. Take a look at some job titles on popular recruiting websites: “IT Audit SAP”, “ITIL Professional”, “ERP Controls”, “Metrics Analyst”.

When you get to an enterprise level, breaking the problems and goals into bite size chunks makes some sense. As a result, you have employees solely focused on a specific task with measurable goals. The down side is you are stuck and many times in political battles with the other silos.

Trusting Software Distribution

In 2005, I wrote a paper “Don't Trust Your Vendor's Software Distribution Methodology”. The goal of the paper, besides to gain some CISSP credits, was to build awareness to our lackadaisical submission into popular insecure software distribution methods. When I was busy writing it, TK came over one day and said, “This is big, and if you write this well you’ll be testifying before Congress”. Nancy Pelosi hasn’t phoned.

I haven’t got the penmanship or charisma of Thomas Jefferson or Fredrick Douglass. A year approaches since this paper was last published and the soapbox beckons.

Your systems are vulnerable.
Your bank is at risk.
Your switches, routers and firewalls cannot be trusted.

Picture Bob. He is your network engineer. One day Bob is assigned with upgrading the software on a router. Bob is an excellent network engineer. He downloads the specific software, loads and tests it in a lab. Following change management policies, he certifies everything is good to go and in a specific change window the upgrade is a success. Unfortunately, the site he visited to download the software wasn’t the vendor’s site. Unbeknownst to anyone, he has now loaded malware on the router.

Two questions to the reader

1. How many of your vendors provide software distributions methods that provide endpoint authentication?
2. How many of your products have an internal mechanism to ensure hierarchical trust?

Hashes don’t usually help

When I play out the scenario, many people first respond, “but, I checked the MD5 hash”. Lets walk the lines of communication.

1. Launch browser
2. Type in http://downloads.vendor.com
3. DNS Request
4. Navigate website.
5. Download software http://downloads.vendor.com/software2.0.tar.gz
6. Download signature http://downalods.vendor.com/software2.0.md5
7. Check signature
8. Install software on router
9. Reload

What went wrong?

1. In step 3, a DNS server could have a poisoned cache.
2. In steps 5 and 6, Bob is using http. This is a non-authenticated protocol.
3. Thank goodness Bob checked the signature in step 7. Too bad, again, the signature was obtained using a non-authenticated protocol.
4. The router itself made no attempt to verify the trust of the software.

Fixing the issue.

Technically, these issues are easy to fix. First, never download any software over non-authenticated protocols. You should be using HTTPS or SCP and don’t forget to confirm the certificate or host key. Checking a signature is a good idea. However, remember that it’s intention is to ensure integrity, not trust. The most important part of the equation is for vendors to deliver solutions to ensure trust. A closed system like a router should have a pre-loaded certificate. If the software is signed with a certificate matching that of the pre-loaded certificate’s signer, then we can have a high level of trust.

Don’t limit your fear

Are you anxious or confused yet? The matter of trust isn’t limited to open source distributions, but it does provide an open door to statistical gathering. When you look at the rampant use of open source software used in commercial products, banking industries and security products one should be timid. Very, very few of our popular open source packages provide means to download code over authenticated protocols. For example, the FreeBSD ports tree currently boasts 16206 ports. Of these ports, only 13 list download sites using HTTPS. None of those 13 include the heavily used distributions like Apache, MySQL, PostgreSQL, PHP or Ruby. By no means should one assume that these statistics indicate a greater trust on commercial source versus open source. Both are probably equally at fault.

Risk is Rampant

In recent years, financial institutions like Bank of America and Citigroup have boasted their use of open source products. Apparently, the FDIC recognizes the risk. In 2004, the FDIC issued a letter “Risk Management of Free and Open Source Software” in which they both caution on the use of open source software and provide best practices on risk reduction.

Bottom Line

At the end of the day, very few of my vendors or open source distributions provide me with a trusted method to download code. Whats the problem? Is it cost, complexity, ignorance or all of the above?

Performance: Primarily linked with availability, throughput and response times, performance is the foremost specific item in determining overall system yield.

Information Security: The CIA triad we live by, “the right information to the right people at the right time”.

To me performance is PART of security, not an adjective thereof. Do you have better security if you get the information to someone faster or with fewer packets?

SysTrust

Recently, I’ve had the opportunity to evaluate some of our internal policies and procedures against that of the AICPA SysTrust standard. As a side note, this published standard is a good place to start if you find ISO 17799 too daunting, but that’s a completely different topic. What caught me off guard in SysTrust is a criteria which says:

“The entity’s confidentiality and security performance is periodically reviewed and compared with the defined confidentiality and related security policies.”

I’ve been gnashing on this one for a while now. There are security metrics (See NIST SP 800-55) of which, when measured, one can derive performance data. Information Security is a defined term, so is performance, what is security performance? I think the team at AICPA may have cut some corners on this one. To use an undefined term in a published standard just adds to the existing daunting tasks of becoming compliant.

If you’d care to attempt to define security performance, send me your ideas.

Since my days of scabbed knees and running nose, that aged portly man has managed to thwart my efforts of physical security. Every December 25th I’d wake up to the glimmer of wrapping paper draped by twinkling illuminations, the half eaten cookies and gnawed carrots. With an anxious laugh, my brother and I would yell to our parents. “Come on, hurry up! Its Christmas!”

We were all so excited by the deliveries of trains, trucks, bikes and the occasional socks that I always forgot the confusion of why Dad would allow a stranger into our house. The house was my inner sanctum, my place of refuge. It’s where I kept my most prized possessions – the #1 Star Wars comic, my Cream tapes and SuperFriends action figures.

January arrived and the dizzying days of play dwindled. My mind would wander and soon my worrisome demeanor would ask, “How could my parents just allow some guy to enter our house at night while we all slept?” What about “don’t talk to strangers” and “don’t answer the door when you are home alone”. I slept at night, bundled in my Scooby Doo jammies while my parents knowingly allowed someone to risk his own life on our property to shimmy his way down our chimney. Did my parents have a copy of his updated liability insurance? What about a NDA, resume or background check? I looked thru my dads filing drawers. Nothing. Nothing marked, Santa or Chris Krinkgle. Not even a “related:Christmas” query resulted a hint.

I’m now grown up a bit. Many years of school, certifications, training and security experience has taught me one thing – risk management. So Santa, if you plan on coming to my house this year, please read agree to and sign the below insurance rider. You can leave your signed copy by the tree.

Insurance Rider

Santa (“Contractor”) shall obtain from an insurance company or companies having a Best’s Financial Performance Rating (“FPR”) of A/A- and a minimum Financial Size Category (“FSG”) of IX and maintain in force during the term of this Agreement:

(a) Workers’ compensation and employer’s liability insurance sufficient to meet statutory liability limits in the state wherein the work is to be performed and with employers’ liability minimum limits of $1,000,000 for each employee for bodily injury by accident and $1,000,000 for each employee for bodily injury by disease.

(b) Commercial General Liability alone or in combination with, Commercial Umbrella insurance (“Occurrence” coverage) in the following minimum amounts:

General Aggregate: $2,000,000
Each Occurrence: $1,000,000
Premises, operations, independent contractors: $2,000,000
Each Occurrence: $1,000,000
Personal and Advertising Injury: $2,000,000
Medical Expense: Minimum of $5,000 per occurrence.
Fire Expense: Minimum of $100,000 per occurrence
Commercial Umbrella insurance per occurrence $2,000,000

(c) Business Automobile Liability: insurance alone or in combination with Commercial Umbrella insurance covering any auto, or sled, (including owned, hired and non-owned autos) with a limit of not less than $1,000,000 each accident.

(d) Contractor will name ____________ including its subsidiaries and affiliates, directors, officers and employees as an additional insured on Contractor’s Commercial General Liability policy, Business Auto, and Commercial Umbrella.

Thanks.
Oh and Santa, I’d like a new PS3 for Christmas.

Have a great holiday.
--S

Merry Christmas All!

Extending the season of lists. We are used to the "resolutions" and "best of"s this time of year. How about something a bit off topic. My list of 5 things you might not want your sysadmin to try.

1: Don’t name your system "lp", "sendmail" or even worse "kernel" or "panic".

2: Don’t honeypot common binaries like "ls". This might be a great method to trip alarms, but typing "echo *" gets real annoying.

3: Don’t change root’s shell.

4: Don’t run "debug ip packet detail" over a slow connection.

5: Don’t load your restore tapes without first checking the write protect tab.

FreeBSD announced their release of version 6.2-RELEASE today. Normally, I wouldn’t find it so interesting to echo an operating system release announcement on the blog, but this event calls for some special recognition. For one thing, I love FreeBSD. The more interesting point is that 6.2 now includes support for CAPP security event auditing as part of the base system. To quote the FreeBSD handbook,

"FreeBSD 6.2-RELEASE and later include support for fine-grained security event auditing. Event auditing allows the reliable, fine-grained, and configurable logging of a variety of security-relevant system events, including logins, configuration changes, and file and network access. These log records can be invaluable for live system monitoring, intrusion detection, and postmortem analysis. FreeBSD implements Sun's published BSM API and file format, and is interoperable with both Sun's Solaris and Apple's Mac OS X audit implementations."

Yes, in all fairness FreeBSD isn’t the first to support the Controlled Access Protection Profile. But I love FreeBSD and I love that security event auditing is now part of version 6.2.

http://www.freebsd.org/releases/6.2R/announce.html