Archive

Archive for August, 2007

I’m a Twit(terer) but did you know that the L.A. Fire Department is, too?

August 31st, 2007 8 comments

Twitterlogo
If you look over to the right under the Lijit widget, you’ll see that I use Twitter.  It’s addictive.  At first I thought it was stupid.  Now I’m having simplex "conversations" with myself and others(?) that are strangely satisfying.

If you don’t happen to know what Twitter is, it’s basically a "micro-blogging" (ugh) social-networking site.  Read more about it here.

If you were so inclined, you can feel free to bore yourself to tears by tapping into the ever-exciting neartime log of my activities — only to discover that all I do is eat and sit in airports.  Thrilling.

Lafd
However, as I was browsing the Twitter site today, I found that the L.A. Fire Department actually logs (all?) its calls to Twitter — it’s the web-based version of sitting in front of a scanner and listening to dispatch.  They also maintain a blog.  Imagine if the LAPD did the same…now that would be "fun."

Scoble covered this back in July and unfortunately I didn’t happen to see it at the time. 

This got me thinking about not only how interesting this is to those whose hobby in the analog world is following the LAFD’s actions and this obviously unique particular application for information dispersal and broadcast of information from and to these first responders as an alert/emergency service, but also that of potential applications in the DoD space.

I’m readying another post regarding some of the impacts that Web2.x and various collaboration and interactive technologies have had on the modern warfighter, but thus really struck me as interesting. 

With some of the various visualization tools coming to bear (Twitter is introducing one) one could take human-generated as well as automated feeds of unstructured, yet contextual theater updates (in addition to more structured data such as engagement, position, movement, number, etc.) and parse/visualize activity over time to arrive at some very interesting data points.  More on that later, but noddle on it.

Back to the LAFD’s Twitter and why I’m bringing this up on my "security" blog…while it appears that these logs are public record, check out the information you can glean from these entries — they appear to be unparsed.  Is anyone else concerned by the privacy implications of including personal information as part of these feeds…esp. when paired with the types of activities profiled in the abstracts?

/Hoff

Categories: Twitter Tags:

Cisco & Trend Micro: Friends, Lovers or Still Contemplating the 29 Dimensions of Compatibility on eHarmony.com?

August 31st, 2007 1 comment

Ciscosystems_24_2
Cisco Turns to Trend Micro for Router Security

Interesting title — and one that’s appropriately bold (pun intended.)

I found this story (below) regarding the apparent renewal of vows between Cisco and Trend interesting because of what is perceived by many as somewhat of a strange on-going dating relationship between the two companies. 

Trend_2Some might suggest that over the last few years, with Trend’s inclusion as the A/V function of choice across many Cisco platforms and the NAC partnership, etc., that TM was looking to ultimately get bought by Cisco. It certainly appeared that way to me.  Perhaps the dowry was just too great, but it certainly looked like Cisco decided that monogamy wasn’t in the cards.

When Cisco acquired IronPort, many felt that while they were specifically focused on messaging security, that the technology would be leveraged heavily across Cisco’s product lines and the Trend partnership would eventually wane.

Trend is well known for both it’s anti-virus/spyware/spam solutions as well as its web-based security gateways while IronPort is known mostly for the former (see below, however.) 

Ironport_logo
It’s interesting to try and reconcile the commonalities between the two company’s product offerings.  On the surface, they both claim to do similar sets of things — even down to the reputation services elements of their products.

Here’s what IronPort suggests they provide:

Email Security

The IronPort email security appliances
are the most sophisticated systems available today. In production at
eight of the ten largest ISPs and more than 20 percent of the world’s
largest enterprises, these systems have a demonstrated record of
unparalleled security and reliability. The same code base that powers
IronPort’s most sophisticated customers is available in all of
IronPort’s email security appliances, to protect the email systems of
enterprises of all sizes. More.

Web Security

The
IronPort S-Series™ is the industry’s fastest Web security appliance.
The IronPort S-Series appliances combine a high-performance security
platform with IronPort’s exclusive Web Reputation technology and
IronPort’s breakthrough Dynamic Vectoring and Streaming™ (DVS) engine,
a new scanning technology that enables signature-based spyware
filtering. Robust management and reporting tools deliver ease of
administration and complete visibility into threat-related activity. More.

…and yet exclusing the desktop reach, it’s almost identical to what Trend Micro suggests they bring to the party. 

 

So if IronPort was supposed to be the content security play for Cisco, does this mean that their adaptabilty beyond messaging was either never in the cards or just isn’t panning out as quickly as was hoped?

Specific activity in the Channel from Trend certainly seemed to imply there was a wave of panic regarding the long strategic partnership between the two companies after the acquisition and it was unclear how Trend might proceed should the couple "become friends" instead of lovers. 

That’s not to say that Trend isn’t a healthy company, but there was, and is, a lot riding on this relationship.

So today, we see this announcement (from CRN/ChannelWeb):

Cisco Systems Thursday unveiled plans to add content security services
to its routers via an extended partnership with Trend Micro.

The San Jose, Calif.-based networking vendor plans soon to integrate Trend Micro technology into the operating system
of its Integrated Services Routers (ISRs),
adding services such as
content filtering to its family of branch office routers, said Tom
Russell, senior director of Cisco’s Security Technology Group.

The new offering, which will be available "in the near future,"
will make it easier for channel partners to build layered security
solutions, as the ISR family already supports several integrated
security options, Russell said. It will also help push content security
out to remote locations, he added.

"You need to have content security at the central site, but you
also have to distribute it to all of the points in the network," he
said.

Cisco and Cupertino, Calif.-based Trend Micro have been working
together since 2004. Trend Micro content security technology is already
incorporated into Cisco’s Adaptive Security Appliance family of unified
threat management wares.

Trend Micro is also a partner in Cisco’s Network Admission Control
initiative and offers its own Damage Cleanup Services for the Cisco
MARS (Mitigation, Analysis and Response System) platform.

Interesting, eh?  The ASA’s were looking like the beginning of a UTM platform of choice for Cisco, but given the popularity of the ISR and the integration of certain WAN/Branch Office functionality (not to mention install base,) this makes sense.

So we’re back to figuring out where the intersection of IronPort and Trend lays.  It certainly seems that this announcement sees the happy couple holding hands again and leaves me more confused about IronPort in the long term now instead of Trend.  I also seem to recall that IronPort utilized Sophos’ AV engine…perhaps that will/has changed?

I continue to go to shows where the IronPort brand (and booth) is still separate from Cisco’s and the IronPort website is still brand discrete (albeit with a "…part of Cisco" graphic) which is a little odd.  I thought IronPort was going to be the leveraged integrated content security play for them?

It wouldn’t be the first time I’m confused by Cisco’s acquisition integration strategy.

/Hoff

Categories: Cisco Tags:

Those of You Wanting the .PPT/.KEY version of the Virtualization Deck…

August 30th, 2007 3 comments

Pptdevil_2
Here you go.

As I explained, the export from Keynote to PowerPoint renders some of the font formatting and shadow effects rather poorly.  You can fix this by:

     1. Using a Mac, and
     2. Using Keynote ;)

You will need to clean this up should you hope it matches the .PDF you first saw.

Just in case you’re interested in the Keynote version, here is the link to it, also.  I compressed this one.

I apologize for the filesizes, I didn’t spend much time optimizing anything for these.  I hope they help.  I will, at some point, probably revise them to include some timely information.

Enjoy

/Hoff


{Link was broken for the Keynote file.  Fixed as of 2:31am EST.  ;) }

Categories: Virtualization Tags:

Apparently, InfoWorld’s Executive Forum on Virtualization *IS* Concerned About Security…

August 29th, 2007 2 comments

Surprised_monkey
You might remember a post from a few days ago wherein I lambasted InfoWorld for not including security as a mainline topic for their upcoming Executive Forum on Virtualization.  I was pretty gruff, but I don’t think out of line, in calling them on this point.

I blogged about it, tracked down the Forum organizers’ contact information and fired off an email to Jill Martay (VP of Events) and Doug Dineley (Conference Chair) with no expectation that I’d receive a response.

In the meantime, Alan Shimel piped in, consoling me in his ever-effervescent style, by suggesting that despite my longwinded plea for sanity, I was merely wasting my breath — but that I shouldn’t worry because he’s making up for it with all the interviews he’s giving on how StillSecure will address the topic ;)

My friend Chris Hoff has himself all worked up. In fact Hoff is in a huff.
What has Christofer (for those who may not realize he spells his name
funny) so worked up you ask? It seems the good folks over at InfoWorld
are staging an Executive Forum
on virtualization next month down in NYC.  No where on the agenda is
even a mention of security and the challenges that a secure
virtualization environment poses.  Chris goes so far as to offer, on
his own dime, to go down and personally deliver a presentation on
security and virtualization. Well Chris it would be nice to see the
InfoWorld folks take you up on this, but I would not hold my breath.

 While I obviously agree with Alan that virtualization is a fantastically interesting and relevant topic, It’s nice to know that even Alan can be wrong sometimes, too…it wasn’t a waste of time, at all.

Today I received an unexpected response to my email that described my disappointment in the lack of security content in the forum.  This email came from both Jill Martay and Doug Dineley which I thought was not only classy but reasonable:

I don't disagree. My original plan for this event included an expert 
panel session on security, and I spent a good deal of time trying to
put that together. I found it quite difficult to create a meaningful
session that included people with useful things to say. And I didn't
want a session with a lot of hand waving and cries of "the sky is falling.

I hope to do better for the next forum, which is coming around in
February (I think). The level of discussion around securing virtual
servers will rise over time, as more security officers start grappling
with larger virtual environments.

I thank you Doug and Jill for both responding and explaining the situation and I look forward to speaking with you soon with some recommendations for content which satisfies your requirements — and those of your attendees.  I’m convinced there’s plenty out there…

So, Alan, sometimes it’s worth a few altruistic exhales oh behalf of a secure humanity.   You never know, you might get back a breath of fresh air in return.

/Hoff


			
Categories: Uncategorized Tags:

Das GooglePhone…Powered by GoogleOS…Will Be Connected Via GoogleFi via GooglePOPs…paid for by GoogleAds…

August 29th, 2007 2 comments

Googlephoneconcept
There have been no shortage of rumors, leaks and innuendo lately regarding Google’s plans for the production of the GooglePhone.

Google’s made no secret of the fact that it’s shopping for platform partners as they "explore" the potential.  It’s suggested an announcement will come officially after the Labor Day holidays here in the U.S.

Google has quietly made at least one acquisition that would support the case, namely that of a mobile software company called Android.  Android was started by one of Danger’s co-founders and developed a Linux based OS for mobile platforms.

Stick that OS on any number of platforms (such as those from HTC which recently leaked prototype information) and you get a nifty little extensible platform that runs a litany of Google Apps natively.  So far we’ve got the GooglePhone and GoogleOS labels out of the way…

Mitchell is smiling in anticipation in that he thinks he’ll be able to ditch his possessed PPC/SmartPhone and use a GooglePhone on Verizon’s network.  Not so fast, Mr. Happy…

Now, while many folks are happy to think that they can have a more usable, extensible, flexible, reliable and expandable mobile platform that natively runs Google’s Apps., what many are not piecing together is Google’s 4.6 Billion dollar decision to participate in the federal government’s upcoming auction of wireless spectrum
  in the 700 megahertz (MHz) band:

   

In a filing with the FCC on July 9, Google urged the Commission to adopt rules for the auction that ensure that, regardless of who wins the spectrum at auction, consumers’ interests are served. Specifically, Google encouraged the FCC to require the adoption of four types of "open" platforms as part of the license conditions:

  • Open applications: Consumers should be able to download and utilize any software applications, content, or services they desire;
  • Open devices: Consumers should be able to utilize a handheld communications device with whatever wireless network they prefer;
  • Open services: Third parties (resellers) should be able to acquire wireless services from a 700 MHz licensee on a wholesale basis, based on reasonably nondiscriminatory commercial terms; and
  • Open networks: Third parties (like internet service providers) should be able to interconnect at any technically feasible point in a 700 MHz licensee’s wireless network.

As a sign of Google’s commitment to promoting greater innovation and choices for consumers, CEO Eric Schmidt sent a letter to FCC Chairman Kevin Martin, stating that should the FCC adopt all four license conditions requested above, Google intends to commit a minimum of $4.6 billion to bidding in the upcoming 700 MHz auction.

So, without the dark overlord overtones, let’s say that Google wins the auction.  They become a mobile operator – or they can likely lease that space back to others with some element of control over the four conditions above.  Even if you use someone else’s phone and resold service, Google wins.

This means that they pair the GooglePhone which will utilize the newly acquired GoogleFi (as I call it) served securely cached out of converged IMS GooglePOPs which I blogged about earlier.   If the GooglePhone has some form of WiFi capabilities, I would expect it will have the split capability to use that network connectivity, also.

…but here’s the rub.  Google makes it’s dough from serving Ads.  What do you think will subsidize the on-going operation and assumed "low cost" consumer service for the GooglePhone.

Yup.  Ads.

So, in between your call to Aunt Sally (or perhaps before, during or after) you’ll get an Ad popping up on your phone for sales on Geritol.  An SMS will be sent to your GooglePhone which will be placed in your GoogleMail inbox.  It’ll then pop up GoogleMaps directing you to the closest store.  When you get to the store, you can search directly for the Geritol product you want by comparing it to pictures provided by Google Photos and interact in realtime with a pharmacist using Google Talk whereupon you’ll be able to pay for said products with Google Checkout.

All. From. Your. GooglePhone.

All driven, end-to-end, through GoogleNet.  Revenue is shared throughout the entire transaction and supply chain driven from that one little ad.

Think I’m nuts?

/Hoff

Categories: Google Tags:

A Play on Negroponte’s OLPC. I present “OHPC” – One Honeypot per Computer…

August 29th, 2007 1 comment

Poohhoneypotbluesalt
I was catching up with an old friend the other day, and in chatting with Lance Spitzner, we got to talking about virtualization and Honeypots.  Lance, as you no doubt already know, is one of the ringleaders of the Honeynet Project whose charter is the following:

The Honeynet Project is a non-profit (501c3) volunteer, research organization dedicated to improving
the security of the Internet at no cost to the public.  All of our work is released as and we are
firmly committed to the ideals of OpenSource
Our goal, simply put, is to make a difference.  We accomplish this goal in the following three ways.

 

Awareness
We raise awareness of the threats and vulnerabilities that exist in the Internet
today.  Many individuals and organizations do not realize they are a target, nor
understand who is attacking them, how, or why.  We provide this information so
people can better understand they are a target, and understand the basic measures
they can take to mitigate these threats.
This information is provided through our Know Your Enemy
series of papers.

Information
For those who are already aware and concerned, we provide
details to better secure and defend your resources. Historically,
information about attackers has been limited to the tools they use. We
provide critical additional information, such as their motives in attacking,
how they communicate, when they attack systems and their actions after compromising
a system.  We provide this service through our
Know Your Enemy
whitepapers and our Scan of the
Month
challenges.

Tools

For organizations interested in continuing their own research about cyber threats,
we provide the tools and techniques we have developed.  We provide these through
our Tools Site.

Look for an upcoming Take5 Interview with Lance shortly.

We were chatting about the application of Honeypots within a virtualized environment and how, for detection purposes, one might integrate them into virtual environments.  Lance brought up the point that the Honeynet Project already talks about the deployment of virtualized Honeypots and the excellent new book by Provos and Holz titled "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" talks about utilizing virtualization and HN’s.

I clarified that what I meant was actually integrating a HoneyPot running in a VM on a production host as part of a standardized deployment model for virtualized environments.  I suggested that this would integrate into the data collection and analysis models the same was as a "regular" physical HoneyPot machine, but could utilize some of the capabilities built into the VMM/HV’s vSwitch to actually make the virtualization of a single HoneyPot across an entire collection of VM’s on a single physical host.

He seemed intrigued by this slightly different perspective.

We’ve seen some pretty interesting discussions both pro and con for production Honeypots in the last couple of weeks.  First there was this excellent write up by InfoWorld’s Roger Grimes which prompted an "operational yeah, but…" from LonerVamp’s blog.

So, with the hopes that this will actually turn into a discussion, Lance said he was going to bring this up internally within the HN Project forums, but I wanted to raise it here.

I’d be very interested in discussing how folks perceive the  notion of OHPC and whether you’d consider deploying one as a VM on each production virtualized host machine you put into production?  If so, why. If not, why?

/Hoff

Categories: Intrusion Detection, Virtualization Tags:

How To Begin Discussing the Virtualization Threat/Vulnerability Landscape: Proactive Approaches to Managing Emerging Risk?

August 29th, 2007 2 comments

Disneychickenlittleskyfalling
It’s no doubt apparent that trafficking in the ideas and concepts surrounding both virtualized security and securing virtualized environments really honks my horn.  I’ve been writing about it a lot lately, and it’s starting to garner some very interesting amounts of attention from lots of different sources.

One of those sources sent me an email after reading some of my ramblings and framed a discussion point that I was writing about anyway, so I thought it a perfect opportunity to discuss it.

Specifically, when a disruptive emerging technology bursts onto the scene with many of the threats and vulnerabilities associated with said technology being mostly theoretical, conceptual and virtual in nature, how does one have a very real conversation with management regarding what should be done proactively to (and please forgive me both ISS and ISS-naysayers) "get ahead of the threat."

That is, how do you start talking about the need to assess and make actionable, if possible, the things necessary to secure such an impacting technology?  Asked not to be identified when I quoted him, I believe one of my readers summed this up quite nicely:

"I really enjoy your blog posts about virtualization security, since it’s a challenge I’m dealing with right now. The real problem I’m finding is explaining the security issues to people who don’t get security in general, and double-don’t-get-it in the context of virtualization.

The two points I really try to get across are:

1. the fact that there aren’t any common, well-known attacks specific to virtualization in the wild (guest hopping etc) is not a good thing, it’s a BAD thing; they’re coming!

2. a virtual server is like a little mini-network where essentially none of our existing security measures apply (I guess I’m mostly thinking of IDS here)

Am I hitting the right points, do you think? Where else can I go with this, since the "threat" is pretty much "I don’t know but something someday?"

My response is straightforward.   I think that he’s dead-on inasmuch as explaining virtualization and the risks associated with it is difficult, mostly because the "threats" are today mostly theoretical and the surface area for attack — or the vulnerabilities for that matter — just aren’t perceived as being there.

So the normal thing to do is just suggest that what we have will be applied to solve the "same" problems in the virtualized context and we’ll deal with the virtualization-specific threats and vulnerabilities when they become more "real." <sigh>

We can shout to the treetops about what is coming, but people don’t generally invest in security proactively because in many cases we’ve seemed to accept that the war is lost and we’re just looking to win a battle every once and a while.  <sigh^2>

It doesn’t help that we’re trying to build business cases to start thinking about investing in securing virtualized environments when the threats and vulnerabilities are so esoteric and by manner of omission executives are basically told that security is something they do not need to focus on any differently in their virtualization deployments.

So I only have a few suggestions for now:

  1. I’d use my preso. to help lubricate the conversation a little; it sums most of this up nicely
  2. Don’t make the mistake of suggesting the sky is falling — it may be, but that’s not going to get you timeshare or share of wallet
  3. In this nascent market, we have to communicate the potential exposure and elevated risk in
    the language of and terms associated with business; why should you spend time and money on this versus, say, patch management.
  4. You better have an answer to this one: "Virtualization is going to save us money, now you want to spend more to secure it!?"
  5. Abstract the discussion related to investment in terms of pushing vendors in your portfolio (by spending time/money) on making sure they will have something to offer you when you need it and start assessing your business and IT plans to see how they align to policy today
  6. Start to build what will be the best practices for what your virtualized environments ought to look like with what you know now, BEFORE you start having to put them into production next week
  7. Talk with your auditors — make them your allies.  Ask them how they expect to audit and assess your virtual environments (be careful what you ask for, however)
  8. Use what you have; you’re going to have to for a while anyway.
  9. Start testing now; demonstrate empirically how existing compensating controls will/will not satisfy your security policies in a virtualized construct
  10. Keep calm.  By the time we get around to cleaning this mess up, we’ll have another pile right around the corner.  This is a continuum, remember?  Same crap, different decade. At least we have twitter and facebook now.

In closing, and without sounding like a clucking chicken, check out this summary of a recent vulnerability disclosure on how to run arbitrary code on a VMware GuestOS thanks to a "feature" in VMware’s scripting automation API. Dennis Fisher over at SearchSecurity did a nice write-up about Mark Burnett’s recent discovery:

The folks at VMware have been in the news quite a bit of late,
thanks to their big IPO and their discreet acquisition of Determina a
couple of weeks ago. Now, the company’s core virtualization product is
getting some attention, but not the kind company executives will like.
Mark Burnett, an independent security consultant and author, recently
posted a long description of a vulnerability in VMware’s scripting automation API that he found.

The vulnerability comes down to this: The API allows any script on
the host machine to execute code and take other actions on any virtual
machine that’s running on the PC, without requiring any credentials on
the guest operating system. This presents a number of problems, as
Burnett points out:

The problem is that a malicious script running within
the context of a regular user on my desktop can run administrator-level
scripts on any guest I am currently logged in to. Using Ctrl+Alt+Del to
lock the desktop of those machines does not prevent VIX from executing
commands on the guest. Even if I log out of each guest machine the
malware can just queue the command to run the next time I log in at the
console of the guest OS.

However, this is in fact a feature that the VMware developers
intentionally included.
VMware told Burnett that, in essence, anyone
who can access the virtual machine APIs on a machine can access the
virtual hard disks anyway and would be able to attack the PC from that
direction. But it seems to me that Burnett is on to something here.
Sure, there are plenty of other methods for attacking virtual machines,
but that doesn’t mean this should be ignored.

Burnett also has found a way to mitigate the problem by adding a switch to the VMX config file.

This will be the first of many, of that you can be sure.  Without flapping your feathers, however, you can use something like this to start having discussions in a calm, rational manner…before you have to go reconfigure or patch your global virtualized server farms, that is…

/Hoff

 

Categories: Risk Management, Virtualization Tags:

HyperJackStacking? Layers of Chewy VMM Goodness — the BLT of Security Models

August 27th, 2007 1 comment

Blt
So Mogull is back on the bench and I’m glad to see him blogging again. 

As I type this, I’m listening to James Blunt’s  new single "1973" which is unfortunately where Rich’s timing seems to be on this topic.  ‘Salright though.  Can’t blame him.  He’s been out scouting the minors for a while, so being late to practice is nothing to be too wound up about.

<If you can’t tell, I’m being sarcastic.  I only wish that Rich was
when he told me that his favorite TexMex place in his hometown is
called the "Pink Taco."  That’s all I’m going to say about that…>

The notion of the HyperJackStack (Hypervisor Jacking & Stacking) is actually a problem set that has been discussed at length and in the continuum of these discussions happened quite a while ago. 

To put it bluntly, I believe the discussion — for right or wrong — stepped over this naughty little topic months ago in lieu of working from the bottom up for the purpose exposing fundamental architectural deficiencies (or at least their potential) in the core of virtualization technology.  This is an argument that parallels dissecting a BLT sandwich…you’re approaching getting to the center of a symmetric stack so which end you start at is almost irrelevant.

The good/bad VMM/HV problem has really been relegated to push-pin on the to-do board of all of the virtualization vendors and this particular problem has been framed by said vendors to be apparently solved first operationally from the management plane and THEN dealt with from the security perspective.

So Rich argues that after boning up on Joanna and Thom’s research that they’re arguing the wrong case completely for the dangers of virtualized rootkits.  Instead of worrying about undetectability of this or that — pills and poultry be damned — one should be focused on establishing the relative disposition of *any* VMM/Hypervisor running in/on a host:

Problem is, they’re looking at the wrong problem. I will easily concede
that detecting virtualization is always possible, but that’s not the
real problem. Long-term virtualization will be normal, not an
exception, so detecting if you’re virtualized won’t buy you anything.
The bigger problem is detecting a malicious hypervisor, either the main
hypervisor or maybe some wacky new malicious hypervisor layered on top
of the trusted hypervisor.

To Rich’s credit, I think that this is a huge problem and one that deserves to be solved.  That does not mean that I think one is the "right" versus "wrong" problem to solve, however.  Nor does it mean this hasn’t been discussed.  I’ve talked about it many times already.  Maybe not as eloquently…

The flexibility of virtualization is what provides the surface expansion of vectors for threat; you can spin up, move or kill a VM across an enterprise with a point-click.  So the first thing to do before trying to determine if a VMM/HV is malicious is to detect its presence and layering in the first place…this is where Thom/Joanna’s research really does make sense.

You’re approaching this from a different direction, is all.

Jackintheboxceo
Thom responded here, and I have to agree with his overall posture; the notion of putting hooks into the VMM/HV to allow for "external" detection mechanisms for the sake solely of VMM/HV rootkit detection is unlikely given the threat, but we are already witness to the engineered capacities to allow for "plug-ins" such as Blue Lane’s that function "along side" the HV/VMM and there’s nothing saying one couldn’t adapt a similar function for this sort of detection (and/or prevention) as a value-add.

Ultimately though, I think that the point of response boils down to the definition of the mechanisms used in the detection of a malicious VMM/HV.  I ask you Rich, please define a "malicious" VMM/HV from one steeped in goodness. 

This sounds like in practice, it will come down to yet another iteration of the signature-driven IPS circle jerk to fingerprint/profile disposition.  We’ll no doubt see anomaly and behavioral analysis used here, and then we’ll have hashing, memory firewalls, etc…it’s going to be the Hamster Wheel all over again.  For the same reason we have trouble with validating security and compliance state for anything more than the cursory checks @ 30K feet today, you’ll face the same issue with virtualization — only worse.

I’ve got one for you…how about escaping from the entire VM "jail" entirely…Ed Skoudis over @ IntelGuardians just did an interview with the PaulDotCom boys on this topic…

I believe one must start from the bottom and work up; they’re trying to make up for the fact that this stuff wasn’t properly thought through in this iteration and are trying to expose the issue now. In fact, look at what Intel just announced today with vPro:

New in this product is Intel Trusted Execution Technology (Intel
TXT, formerly codenamed LaGrande). Intel TXT protects data within
virtualized computing environments, an important feature as IT managers
are considering the adoption of new virtualization-enabled computer
uses. Used in conjunction with a new generation of the company’s
virtualization technology – Intel Virtualization Technology for
Directed I/O – Intel TXT ensures that virtual machine monitors are less
vulnerable to attacks that cannot be detected by today’s conventional
software-security solutions. By isolating assigned memory through this
hardware-based protection, it keeps data in each virtual partition
protected from unauthorized access from software in another partition.

So no, Ptacek and Joanna aren’t fighting the "wrong" battle, they’re just fighting one that garners much more attention, notoriety, and terms like "HyperJackStack" than the one you’re singling out.  ;)

/Hoff

P.S. Please invest in a better setup for your blog…I can’t trackback to you (you need Halo or something) and your comment system requires registration…bah!  Those G-Boys have you programmed… ;)

As Promised: ISO17799-Aligned Set of IT/Information Security P&P’s – Great Rational Starter Kit for a Security Program

August 27th, 2007 14 comments

Giveback_2
Per my offer last week, I received a positive response to my query asking if folks might find useful a set of well-written policy and procedures that were aligned to ISO17799.  I said that I would do the sanitizing work and release them if I got a fair response.

I did and here they are.  This is in Microsoft Word Format.  534 KB.

My only caveats for those who download and use these is please don’t sell them or otherwise engage in commercial activity based upon this work.

I’m releasing it into the wild because I want to help make people’s lives easier and if these P&P’s can help make your security program better, great.  I don’t want anything in return except perhaps that someone else will do something similar.

I must admit that I alluded to a lot of time, sweat and tears that *I* contributed to this document.  To be fair and honest in full disclosure, I did not create the majority of this work; it’s based upon prior art from multiple past lives, and most of it isn’t mine exclusively.

As a level-set reminder:

The P&P’s are a complete package that outline at a high-level
the basis of an ISO-aligned security program; you could basically
search/replace and be good to go for what amounts to 99% of the basic
security coverage you’d need to address most elements of a well-stocked
security pantry.

You can use this “English” high-level summary set to point to
indexed detailed P&P mechanics or standards that are specific to
your organization.

All you need to do is modify the header/footer with your company’s logo & information and do a search/replace for [COMPANY] with your own, and you’ve got a fantastic template to start building from or add onto another framework with.

Please let me know if this is worthwhile and helped you.  I could do all sorts of log tracking to see how many times it’s downloaded, etc., but if you found it helpful (even if you just stash it away for a rainy day) do let me know in the comments, please.

I also have a really good Incident Response Plan that I consolidated from many inputs; that one’s been put through at least one incident horizon and I lived to tell about it.

Regards,

/Hoff

Worried About Virtualization & Security? InfoWorld’s “Virtualization Executive Forum” Isn’t…

August 26th, 2007 1 comment

Headinsand
On September 24-25th, InfoWorld will host their Virtualization Executive Forum in NYC which promises "…two days of
technical breakout sessions, case studies and industry expertise on
server, desktop, application, storage and file virtualization
technologies."

Here’s the overview:

Designed for those
who are evaluating where to begin and for those already implementing
virtualization technologies, InfoWorld’s Virtualization Executive Forum
features:

  • Analyst perspectives on innovative uses of virtualization adoption
    rates and trends, and policy-based datacenter automation
  • In-depth
    sessions examining Virtual Machines and Security, Open Source
    Virtualization, Business Continuity/Disaster Recovery, and more.
  • Industry
    Keynotes from IT end users addressing the challenges, pitfalls,
    results, and benefits of their implementations
  • A
    spotlight on Green IT practices and its potential for cost savings and
    reducing power and cooling needs in large datacenters.

In
addition to the in-depth case studies and industry panels you have come
to expect from InfoWorld’s Executive Forums, this fourth edition has
added another key ingredient to the mix: more opportunities for you and your peers to  collaborate and share experiences.

For an "executive forum" they have an interesting split-track breakout agenda; one track features case studies and the other focuses on technical presentations and panels.

Here’s the rub, did you notice that the word "security" appears only twice in the entire agenda, once in the keynote address and once more in a case-study breakout session on day two regarding applications of virtualization.  While I recognize that this is supposedly targeted at "executives," let’s take a look at the technical track breakout topics:


  • Vendor Crossfire: x86 Server Virtualization
  • Getting Started with Server Virtualization
  • Technical Track: Physical to Virtual Migration
  • Leveraging Virtualization for Information Availability and Business Continuity
  • Lessons from Big Iron: The Power of RISC UNIX Virtualization
  • Open Source Hypervisor: Zeroing in on Xen
  • VM Management and Monitoring
  • Scaling Virtual Infrastructure

Virt_spotlight_4Not a mention of security in the bunch.  This is asinine. If you’re at all curious as to why security is an after-thought in emerging markets, look no further than this sort of behavior. 

…and don’t just tell me that security is "assumed."

If the executives who attend this two day forum walk away with a head full of fun new ideas and cautionary tales regarding virtualization and the closest thing to security they got was the valet guarding the doughnuts during the break, don’t anybody get surprised in 18 months when the house of cards come tumbling down.

InfoWorld, what the hell!?  How about ONE session — even a panel — titled something as simple as "Virtualization and Security – A Discussion You Need to Have."

In fact, you’re welcome to at least just print out my presentation from a couple of days ago and give it to your attendees.  At least they’ll walk away with something relating to security and virtualization.  850+ people from my blog already have more information on security and virtualization *for free* than is being presented at the forum.

Listen, I feel so strongly about this that I’ll speak for free on the topic — I’ll pay my own hotel, airfare, etc…and you can keep the doughnuts during the break.

By the way, I find it deliciously ironic that when I clicked on the "Visit Virtualization Portal" link in the above graphic, I was greeted by this little gem:

Iwvirtoverflow

I’m sure this is probably running on a "real" server.  A virtualized instance would never have this sort of problem, right? ;)

/Hoff