Archive for September, 2006

Does the word ‘Matasano’ mean ‘allergic to innovation’ in Lithuanian?

September 27th, 2006 2 comments

Kicknuts(On the advice of someone MUCH smarter than Ptacek or me [my wife] I removed the use of the F/S-bombs in this post.]

Holy crap.  Thomas Ptacek kicked me square in the nuts with his post here in regards to my commentary about Blue Lane’s PatchPoint.

I’m really at a loss for words.  I don’t really care to start a blog war of words with someone like Thomas Ptacek who is eleventy-billion times smarter than I’ll ever hope to be, but I have to admit, his post is the most stupid frigging illustration of derivate label-focused stubborness I have ever witnessed.  For chrissakes, he’s challenging tech with marketing slides?  He’s starting to sound like Marcus Ranum.

Thomas, your assertions about Patch Point (a product you’ve never seen in person) are innaccurate.  Your side-swipe bitch-slap commentary about my motivation is offensive.  Your obvious dislike for IPS is noted — and misdirected.  This is boring.  You assail a product and THEN invite the vendor to respond?  Dude, you’re a vendor, too.  Challenging a technology approach is one thing, but calling into question my integrity and motivation?  Back the hell up.

I just got back from an awesome gathering @ BeanSec!2 and Bourbon6 — so despite the fact that I’m going to hate myself (and this post) in the morning, I have to tell you that 4 of the people that read your post asked "what the hell?"  Did I piss in your corn flakes inadvertenly?

Let me just cut to the chase:

1) I worked with Blue Lane as a customer @ my last job while they were still in stealth.  That’s why the "start date" is befor the "live date"
2) When they went live, I bought their product.  The first, in fact.  It worked aces for me.
3) Call it an IPS.  Call it a salad dressing.  I could care less.  It works.  It solves a business problem.
4) I have ZERO interest in their company other than I think it solves said BUSINESS problem.
5) This *is* third party patching because they apply a "patch" which mitigates the exploit related to the vulnerability.  They "patch" the defect.
6) Your comment answers your own question:

You see what they did there? The box takes in shellcode, and then, by
“emulating the functionality of a patch”, spits out valid
traffic. Wow. That’s amazing. Now, somebody please tell me why that’s
any improvement over taking in shellcode, and then, by “emulating the
functionality of an attack signature”, spitting out nothing?

…ummm, hello!  An IPS BLOCKS traffic as you illustrate…That’s all. 

What if the dumb IPS today kills a valid $50M wire transaction because someone typed 10 more bytes than they should have in a comment field?  Should we truncate they extra 10 bytes or dump the entire transaction? 

IPS’s would dump the entire transaction because of an arbitrary and inexact instantiation of a flawed and rigid "policy" that is inaccurate.  That’s diametrically opposed to what security SHOULD do.

[Note: I recognize that is a poor example because it doesn’t really align with what a ‘patch’ would do — perhaps this comment invites the IPS comparison because of it’s signature-like action?  I’ll come up with a better example and post it in another entry]

Blue Lane does what a security product should; allow good traffic through and make specifically-identified bad traffic good enough.  IPS’s don’t do that.  They are stupid, deny-driven technology.  They illustrate all that is wrong with how security is deployed today.  If we agree on that, great!  You seem to hate IPS.  So do I.  Blue Lane is not an IPS.  You illustrated that yourself.

Blue Lane is not an IPS because PatchPoint does exactly what a patched system would do if it received a malicious packet…it doesn’t toss the entire thing; it takes the good and weeds the bad but allows the request to be processed.  For example, if MS-06-10000 is a patch that mitigates a buffer overflow of a particular application/port such that anything over 1024 bytes can cause the execution or arbitrary code from executing by truncating/removing anything over 1024 bytes, why is this a bad thing to do @ the network layer?

This *IS* a third party patch because within 12 hours (based upon an SLA) they provide a "patch" that mitigates the exploit of a vulnerability and protects the servers behind the applicance WITHOUT touching the host. 

When the vendor issues the real patch, Blue Lane will allow you to flexibly continue to "network patch" with their solution or apply the vendor’s.  It gives you time to defend against a potential attack without destroying your critical machines by prematurely deploying patches on the host without the benefit of a controlled regression test.

You’re a smart guy.  Don’t assail the product in theory without trying it.  Your technical comparisons to the IPS model are flawed from a business and operational perspective and I think that it sucks that you’ve taken such a narrow-minded perspective on this matter.

Look,  I purchased their product  whilst at my last job.  I’d do it again today.  I have ZERO personal interest in this company or its products other than to say it really is a great solution in the security arsenal today.  That said, I’m going to approach them to get their app. on my platform because it is a fantastic solution to a big problem.

The VC that called me about this today seems to think so, too.

Sorry dude, but I really don’t think you get it this time.  You’re still eleventy-billion times smarter than I am, but you’re also wrong.  Also, until you actually meet me, don’t ever call into question my honor, integrity or motivation…I’d never do that to you (or anyone else) so have at least a modicum of respect, eh?

You’re still going to advertise BeanSec! 3, right?


Third Party Patching — Why Virtual Patch Emulation is the Host-est with the Most-est…

September 27th, 2006 3 comments

All this hubbub about third party patching is enough to make one cross-eyed…(read on for the ironic analog)

I’ve written about this twice before…once last month here and the original post from my prior blog written over a year ago!  It’s a different approach (that inevitably and incorrectly gets called an IPS) to solving the patching dilemma — by not touching the host but instead performing virtualized patch emulation in real-time via the network.

Specifically I make reference to a product and service from Blue Lane technologies (the PatchPoint gateway) which so very elegantly provides a layer of protection that is a NETWORK-BASED third party patching solution.

You don’t have to touch the host — no rediculous rush to apply patches that might introduce more operational risk in the hurry to patch them than the risk imposed by the likelihood of the vulnerability being exploited…

You can deploy the virtual (third party) patch and THEN execute your rational and controlled approach towards regression testing those servers you’re about to add software to…

Rather than re-hash the obvious and get Alan Shimel designing book covers to attack my post like he did with Ross Brown from eEye (very cool, Shimmy!) you can just read the premise based upon the link above in the first sentence.

I don’t own any Blue Lane stock but I did happen to buy one of the first of their magical boxes 2 years ago and it saved my ass on many occasion.  Patch Tuesday become a non-event (when combined with the use of Skybox’s amazing risk management toolset…another post.)

Keep your mitts off my servers….

Security as a Service: Security Service Oriented Architecture (SSOA) using Enterprise UTM

September 22nd, 2006 2 comments

I’m almost finished with a concept brief on how I describe and liken Enterprise UTM security service layers to a model I define as a Security Service Oriented Architecture (SSOA.)

(Ed: If you like, you can read the brief here — it is a summary compilation of thoughts that forms the basis of several presentations.)

I’ll post the entire brief shortly, but here’s the abstract from the paper titled "Delivering Enterprise Risk Mitigation Utilizing a UTM Security Service Oriented Architecture":

The evolution of modern enterprise information architecture has driven tectonic shifts in how information is made available and consumed across constituent layers within the Enterprise ecosystem.  The paradigm itself has undergone fundamental changes as the delivery mechanism and application model has transitioned from Client/Server to Internet/Web-based and now loosely-coupled componentized Service Oriented Architectures (SOA.)   

SOA provides for transformational methods of producing, accessing and consuming information across a delivery “platform” (the network) and provides quantifiable benefits across multiple boundaries: the reduction of integration and management total cost of ownership (TCO), asset and resource modularity and reusability, business process agility and flexibility, and the overall reduction of business risk.

Enterprise information architects have responded to this paradigm change by adopting methodologies such as Extreme Programming (XP) which is designed to deliver on-demand software layers where and when they are needed.   XP enables and empowers developers and information architects to rapidly respond to changing business requirements across the entire life cycle.  This methodology emphasizes collaboration and a modular approach toward delivering best-of-breed solutions on-demand.

These highly dynamic, just-in-time solutions pose distribution, management, protection and scaling issues that static product-centric network and security paradigms cannot adapt to quickly enough; each new technology presents new architectural changes, new vulnerabilities and new attack surfaces against which threats must be evaluated.  Unfortunately, there is no analog to Extreme Programming in the security world.

The networks charged with the delivery of this information and the infrastructure tasked with its secure operation have failed to keep evolutionary pace, are still mostly rigid and inflexible and are unable to deliver given a misalignment of execution capabilities, methodologies and ideologies.

This brief will first demonstrate that pure network infrastructure is, and always will be, fundamentally and unfortunately at odds with the technology and services designed to protect the information that is transported across it.   

The brief will then introduce the concept of a Security Service Oriented Architecture (SSOA) that effectively addresses the network/security conflict. By using an Enterprise Unified Threat Management (UTM) system overlaid across traditional network technology it becomes possible to eliminate individual security appliance sprawl and provide best-of-breed security value with maximum coverage exactly where needed, when needed and at a cost that can be measured, allocated and applied to most appropriately manage risk.

I’ll be interested in your comments regarding the abstract as well as the entire brief once I link to it.


Categories: Uncategorized Tags:

Exposing/fingerprinting hidden services remotely by tracking heat-based clock skew…

September 22nd, 2006 No comments

When tools such as NMAP arrived on the scene years ago and fingerprinting for enumeration for pentesting and VA was the "hot" ticket, evasion techniques sprung up that were quite creative and forced researchers to get even more creative in attempts to discover and detect OS, applications and services running on a host remotely.

This has got to be one of the (and you’ll pardon the pun) "coolest" methods of detection and service enumeration I have seen to date; using CPU speed and temperature to detect processor utilization by hidden services — remotely using timestamp skews!

From Steven J. Murdoch @ Light Blue Touchpaper:

It is well known that quartz crystals, as used for controlling system
clocks of computers, change speed when their temperature is altered.
The paper shows how to use this effect to attack anonymity systems. One
such attack is to observe timestamps from a PC connected to the
Internet and watch how the frequency of the system clock changes.

I’m sure we’ll see evasion techniques, exception cases and "debubking the myth" posts pile up, but Mr. Murdoch sure made me scratch my head in amazement.  Maybe I’m just simple folk, but I think it’s really neat.

Next thing you know it’ll detect operator arousal after downloading pr0n!  I can tell you one thing, it’s pretty damned easy to fingerprint a MacBook Pro w/Core Duo processors…it heats my living room on a cold day and burns the hair of my thighs if I try to use it like a laptop…


The Immune System Analogous to Security?…SUCKS.

September 10th, 2006 3 comments

I find it oddly ironic that vendors such as Cisco maintain that the human immune system is a good model for how "network" security ought to function.  Now, I know that John Chambers’ parents are doctors, so perhaps he can’t help it…

In a recent blog entry, Richard Stiennon reviews John Chambers’ recent keynote at the Security Standards show, wherein he summarizes:

The human body is a good metaphor for the way security should be. You
hardly ever notice when your body is attacked because the majority of
attacks are warded off. It is the exception when you catch a cold or
have to go to the doctor.

It’s an unfortunate analog because PEOPLE DIE.

In my Unified Risk Management Part I whitepaper, I specifically suggested that this idea sucks:

Networks of the future are being described as being able to self-diagnose and self-prescribe antigens to cure their ills, all the while delivering applications and data transparently and securely to those who desire it.

It is clear, however, that unfortunately there are infections that humans do not recover from.  The immune system is sometimes overwhelmed by attack from invaders that adapt faster than it can.  Pathogens spread before detection and activate in an overwhelming fashion before anything can be done to turn the tide of infection.

Mutations occur that were unexpected, unforeseen and previously unknown.  The body is used against itself as the defense systems attack both attacker and healthy tissue and the patient is ultimately overcome.  These illnesses are terminal with no cure.

Potent drugs, experimental treatments and radical medical intervention may certainly extend or prolong life for a short time, but the victims still die.  Their immune systems fail. 

If this analogy is to be realistically adopted as the basis for information survivability and risk management best practices, then anything worse than a bad case of the sniffles could potentially cause networks – and businesses — to wither and die if a more reasonable and measured approach is not taken regarding what is expendable should the worst occur.  Lose a limb or lose a life?  What is more important? The autonomic system can’t make that decision.

I’m sick of these industry generalizations and fluffy conference sound bites because they’re always painted with a rosy end, downplaying the realities of the "cons" (pun intended) at the expense of the what everyone knows as the truth.

…and the truth be told, this analog is actually the PERFECT model for the Information Security paradigm because of just how spectacularly the immune systems fails.


BeanSec! Part Deux…

September 8th, 2006 1 comment

BeanSec! #2 is scheduled for Wednesday, September 27th:

An informal meetup of information security professionals and academics
in the Cambridge/Boston area. Unlike other meetings, you will not be
expected to pay dues, “join up”, present a zero-day exploit, or defend
your dissertation to attend.

The location is the Enormous Room (map) in Cambridge.   I believe we’re going to start @ 6PM again.

Please subscribe to the BeanSec! Mailing list.


Categories: BeanSec! Tags:

Martin McKeay’s Podcast…

September 8th, 2006 2 comments

I don’t know how I forgot to mention this.  I’m an idiot.  I listen to Martin McKeay’s podcasts religiously…and I’ve been lucky enough to participate as part of a Mobcast once before.  Martin’s depth
of knowledge and the breadth of catagories/topics and guests he includes is phenomenal.

On August 29th, Martin was kind enough to have me on his podcast and interviewed me.  I did what I always do…talk too much.  We spoke about risk management, the security landscape, and UTM.

If you’ve got 40 minutes to kill, check out the podcast here.