Rational Survivability

I’m swamped right now and have about 30 tabs open in Mozilla referencing things I expected to blog about but simply haven’t had the time to.  Rather than bloat Mozilla’s memory consumption further and lose these, I figured I’d jot them down.

Yes, I should use any number of the services available to track these sorts of things for this very purpose, but I’m just old fashioned, I guess…

Perhaps you’ll find these snippets interesting, also.

• Princeton University Center for Information Technology Policy: Computing In the Cloud Workshop – I really want to go to this
• Ten Virtualization Vendors to watch in 2008 – Management & Security top the list
• Google as predicted in 1964 – Cool!
• Forrester lays out 10 reasons why IT shouldn’t support the iPhone – Get over yourself, it’ll happen anyway.
• How to manage your multivendor firewalls like a pro – This is a nasty problem in large enterprises.
• Unix admin tries to axe California power grid – Forget SCADA attacks, we need dual authentication for the EPO button!
• Is Google your next hosted security partner? – Don’t say I didn’t tell you so…
• Scott Berinato’s top 10 data breaches of 2007 – Hurry, there’s still time for more!
• Virtual machine sprawl will challenge IT management skills – Um ,yup.
• Stiennon’s 2008 Predictions are so right, they happen in 2007. That’s all I’m gonna say about that.
• Anton’s excited about Ranum’s rants on stuff we’ve been arguing about for 10 years – Arguing about stateful inspection is so last decade.
• DIY "secure virtual machine network in a box" – Holy crap.  The end of the world is nigh!
• Measuring the return on IT Security Investments – Intel does a lovely job with this.  Hat tip to Lindstrom.
• Information security strategies fail to meet corporate needs – Ernst & Young survey
• NSA’s Central Security Service: Security Configuration Guides – Good resource for config. baselines.
• No browser for you today! – Pixar’s "extreme" security policies
• Mobile & Wireless: 2007’s biggest emerging technology disappointments – Sigh.
• Data Centrism, De-Perimeterization, and fanatacism – Didn’t we cover this already?
• Jericho still speaking in Tongues – …I guess not!
• You can’t buy "just a firewall" anymore – Don’t look now, it’s UTM!
• Charlie Giancarlo resigns from Cisco – Buy stock in wherever he goes!
• Orkut XSS Worm – If Stiennon can do it, so can I!  Told ya so…
• Backdoors in software distribution points – The Chris’ from Veracode tell us why MD5 ain’t your friend
• 8 Bold predictions on Google’s next moves – Good read; some I’ve blogged about.
• Security’s Top 5 priorities – More technology…that’s the problem.
• Common Criteria = Safe? – Eric Bidstrup’s very good read

Sadly I may not get around to blogging about many of these.  I’ve got a ton more from the emerging technology, VC and virtualization space, too. 

I don’t want to become another story summarizer, but perhaps I’ll use this format to cover things I can’t get to every week.

/Hoff

…just to put your mind at ease, no, that’s not me.  I’m all about the boxers not briefs.  Now you know since you’ve all been wondering, I’m sure…

I really do appreciate it when people dedicate time, energy and expertise to making sure we’re all as informed as we can be about the potential for bad things to happen.  Case in point, hat tip to Mitchell for pointing us to just such a helpful tip from a couple of guys submitting a draft to the IETF regarding the evils of tunneled traffic.

Specifically, the authors are commenting on the "feature" called Teredo in which IPv6 is tunneled in UDP IPv4 datagrams.

Here’s the shocking revelation, sure to come as a complete surprise to anyone it IT/Security today…if you only look at SrcIP, DstIP, SrcPort, DstPort and Protocol, you’ll miss the fact that nasty bits are traversing your networks in a tunneled/encapsulated death ray!

Seriously, welcome to 1995.  If your security infrastructure relies upon technology that doesn’t inspect "deeper" than the 5-tupule above, you’re surely already aware of this problem as 90% of the traffic entering and leaving your network is probably "tunneled" within port 80/443.

Here’s a practical example.  I stuck a Palo Alto Networks box in front of my home network as part of an evaluation for a client I’m doing.  Check out the application profile of the traffic leaving my network via my FIOS connection:

Check out that list of applications above.  Care to tell me how many of them are tunneled over/via/through port 80/443?  True, they’re not IPv6 in IPv4, but it’s really the same problem; obfuscating applications and protocols means you need to have much more precise fidelity and resolution in detecting what’s going through your firewalls colander.

By the way, I’ve got stuff going through SSH port forwarding, in ICMP payloads, via SSL VPN, via IPSec VPN…can’t wait to see what happens when I shove ’em out using Fragrouter.

I’m all for raising awareness, but does this really require an IETF draft to update the Teredo specification?

/Hoff

Read more…

A day or so ago, I was reflecting on one of Gunnar Peterson’s posts regarding Information Security spending and the lack of transparency and measurement therein.  His post referred to a set of five questions that Dan Geer suggested (rightly) ought to be answered by anyone managing security efforts or defending a security budget:

Awhile back, Dan Geer posed the following questions

How secure am I?

Am I better than this time last year?

Am I spending the right amount of $$?

How do I compare to my peers?

What risk transfer options do I have?

Dan asserted, and I agree, that these are perfectly reasonable for
senior management to ask, virtually any part of a business can provide
some enlightenment on them, and the exception is infosec which has
virtually no way to answer any of these today.

A few moments ago, Richard Bejtlich over at the TaoSecurity blog posted a fantastic substitute/extension to question number one above "How secure am I?" by asking "Are you Secure?"  Richard goes one step further and suggests that you prove it.

Richard sets up the scenario by establishing the ground rules:

Are you secure?  Prove it.  These five words form the core of my recent thinking on the digital security scene.  Let me expand "secure" to mean the definition I provided in my first book: Security is the process of maintaining an acceptable level of perceived risk.  I defined risk as the probability of suffering harm or loss.  You could expand my five word question into are you operating a process that maintains an acceptable level of perceived risk?

<snip>

For the purpose of this exercise let’s assume it is possible
to answer "yes" to this question. In other words, we just don’t answer
"no." We could all make arguments as to why it’s impossible to be
secure, but does that really mean there is no acceptable level of
perceived risk in which you could operate? I doubt it.

He does a fantastic job of suggesting how you might want to approach answering that question.

Read it, it’s fantastic.

/Hoff

Peter Schoof over at eBizQ’s Twenty-Four Seven Security makes a couple of very interesting assertions regarding the lack of growth of Service Oriented Architecture (SOA.) 

I haven’t seen much discussion in the blogosphere about the security
challenges that arise from loosely coupled service orientated systems,
but that will soon change. As more and more companies move towards open
applications ala SOA, data is also opened up to a whole new series of
exploits and vulnerabilities.

I will agree that SOA provides some very interesting security
challenges that, much like many emerging technologies, are attempted at being solved by having security bolted
on instead of baked in.    I’d also agree that SOA will manifest new attack surfaces and potential vulnerabilities; it already has. 

Interestingly, the market for SOA security solutions came out of the gate strong, looked hot in the midst of consolidation and M&A madness, but then stumbled as the adoption of SOA (or specifically SOA security) did not support this nascent market kindly.  It has, in fact, become a feature, not a market. 

As to there not being much discussion in the blogosphere surrounding SOA, perhaps Peter missed Gunnar Peterson, Lori MacVittie, Arnon Rotem-Gal-Oz, or even Me.  Obviously Joe McKendrick has been blogging about SOA and security for some time also since he’s the person moderating the webinar that Peter is referring to in his full post.

At this point, security is the primary limiting factor inhibiting
SOA’s growth. In order to counteract that, "Enterprises need to apply
non-invasive, externalized security policy enforcement mechanisms
consistently throughout their SOA ecosystems, while also centrally
managing security policy."

<Cough!> Um, no.  Firstly, please shoot the marketing drone that wrote that.

Secondly, and most important, the primary limiting factor inhibiting SOA’s growth is gross sum of: the definition of SOA, the state (mess) of Enterprise Architecture, operationalizing SOA and message buses, the business case, business value, complexity, and the cost center.  Security’s in there somewhere, but it’s far from being THE primary limiting factor, Peter.

I’m all for trying to raise the flag regarding SOA and the need for security, but please don’t play pin the tail on the donkey with security as the Ass…you’re only going to look like one.

/Hoff

This month’s Information Security Magazine features the 2007 Security 7 Award Winners.  This year’s winners represent an excellent cross-section of security professionals in seven industries, each with very diverse and interesting backgrounds, approaches and career paths:

• Michael Assante, Infrastructure Protection Strategist, Idaho National Labs
• Kirk Bailey, CISO, University of Washington
• Michael K. Daly, Director Enterprise Security Services, Raytheon
• Sasan Hamidi, CISO, Interval International
• Timothy McKnight, VP&CISO, Northrup Grumman
• Mark Olson, Manager of IS Security and DR, Beth Israel Deaconess Medical Center
• Simon Riggs, Global Head of Security, Reuters

Congratulations to all of this year’s winners!  I know four of them and they’re all excellent representatives of our profession.

I was one of the inaugural Security 7 award winners back in 2005 in the financial services category when I was a CISO and was interviewed over the phone recently by Michael Mimoso from the magazine as a "catching up with…" piece that complimented the profiles of this year’s winners. 

Please forgive the rather colloquial nature of the transcription of the discussion, it was very much a stream of consciousness as part of a 20 minute conversation that has been edited down for size.  Some of the concatenated sentences seem to contradict one another…I didn’t get to see it before it went to press ;(  Nonetheless, I appreciate the opportunity, Michael.

You can find the entire story here and my blurb here.  Shimmy, as big as a pain in the ass as you are, you’ll notice that I appropriately state that I owe my blogging to you.  Thanks, pal.

For reference, here is a listing of the 2005 and 2006 winners:

2005
    Edward Amoroso (Telecommunications)
 
  Hans-Ottmar Beckmann (Manufacturing)
 
  Dave Dittrich (Education)
 
  Patrick Heim (Health care)
 
  Christofer Hoff (Financial services)
 
  Richard Jackson (Energy/utilities)
 
  Charles McGann (Government)

2006
  Stephen Bonner (Financial services)
  Larry Brock (Manufacturing)
  Dorothy Denning (Education)
  Robert Garigue (Telecommunications)
  Andre Gold (Retail)
  Philip Heneghan (Government)
  Craig Shumard (Health care)

I’d also like to call out and pay tribute to one of the 2006 award winners, Robert Garigue, who passed away in January.  May he rest in peace.

/Hoff

About a month ago, I posted about a CNET article by Matt Rosoff which suggested that digital watermarking would replace DRM.  My suggestion was that it was pretty obvious that watermarking won’t "replace" DRM, it is merely another accepted application of it.

Here’s a really interesting story from Gizmodo about how, as mentioned in the article, Amazon is now claiming they are DRM Free whilst embedding digital watermarking into their purchased MP3’s.  The article is titled "Still DRM Free: Amazon’s MP3s Contain Watermarks, But Not the Privacy-Invading Variety." 

Interestingly, the author (Adam Frucci) shows an image featuring the audio substrates of the original recording, the watermarked encoding and the resultant subtracted watermarked artifacts:

Amazon.com’s
new MP3 store watermarks its MP3s, but only with information stating
where the songs were purchased, not who did the purchasing, according
to the online uberstore.

That’s the good news. The bad news is that
this issue has inspired me to ramble about the stupidity of the whole
idea of watermarking tracks with identifying info.

I mean, what would be the point? Most music that gets widely pirated
comes from scene groups that do rips from CDs, not from people who
legally purchase music online. It’s the same thing I never understood
about DRM: it only takes one copy getting ripped or spread around for
something to be easily accessed in the pirate-o-sphere, so why waste so
much time keeping normal people from sharing? I mean, even if they did
find some Kanye song in a girl’s shared Soulseek folder and it was ID’d
with some dude’s name, what does that prove? Not much. In any case,
Amazon doesn’t look to be doing anything of the sort, so bravo to that,
and another kudos to them for selling only straight-up MP3s. Now just
get all the labels on board and we’ll have the music store we’ve all be
clamoring for for so long.

I agree with the author that should we assume that the watermark just describes where the song is purchased, it does little good other than the concept that was raised in the previous article I referenced above in terms of what Universal plans to use watermarking for:

Universal can then use this data to
help decide whether the risk of piracy outweighs the increased sales
from DRM-free MP3 files, segmenting this decision by particular
markets. For example, it might find that new Top 40 singles are more
likely to find their way onto file-trading networks than classic rock
from the 1970s.

But that’s really not the reason for this post.  The reason for this post is the bold-faced, underlined text in the fourth paragraph above "according
to the online uberstore."  The author is simply going on Amazon’s word that the artifacts only contain purchase origin data and nothing regarding the purchaser?

I find it odd that he’s not particularly concerned with validating Amazon’s claims and is willing to take them on face value that this is all the watermarks contain in order to support such a lofty title for the article. 

/Hoff

You might remember a post from a few days ago wherein I lambasted InfoWorld for not including security as a mainline topic for their upcoming Executive Forum on Virtualization.  I was pretty gruff, but I don’t think out of line, in calling them on this point.

I blogged about it, tracked down the Forum organizers’ contact information and fired off an email to Jill Martay (VP of Events) and Doug Dineley (Conference Chair) with no expectation that I’d receive a response.

In the meantime, Alan Shimel piped in, consoling me in his ever-effervescent style, by suggesting that despite my longwinded plea for sanity, I was merely wasting my breath — but that I shouldn’t worry because he’s making up for it with all the interviews he’s giving on how StillSecure will address the topic 😉

My friend Chris Hoff has himself all worked up. In fact Hoff is in a huff.
What has Christofer (for those who may not realize he spells his name
funny) so worked up you ask? It seems the good folks over at InfoWorld
are staging an Executive Forum
on virtualization next month down in NYC.  No where on the agenda is
even a mention of security and the challenges that a secure
virtualization environment poses.  Chris goes so far as to offer, on
his own dime, to go down and personally deliver a presentation on
security and virtualization. Well Chris it would be nice to see the
InfoWorld folks take you up on this, but I would not hold my breath.

 While I obviously agree with Alan that virtualization is a fantastically interesting and relevant topic, It’s nice to know that even Alan can be wrong sometimes, too…it wasn’t a waste of time, at all.

Today I received an unexpected response to my email that described my disappointment in the lack of security content in the forum.  This email came from both Jill Martay and Doug Dineley which I thought was not only classy but reasonable:

I don't disagree. My original plan for this event included an expert 
panel session on security, and I spent a good deal of time trying to 
put that together. I found it quite difficult to create a meaningful 
session that included people with useful things to say. And I didn't 
want a session with a lot of hand waving and cries of "the sky is falling.

I hope to do better for the next forum, which is coming around in 
February (I think). The level of discussion around securing virtual 
servers will rise over time, as more security officers start grappling
with larger virtual environments.

I thank you Doug and Jill for both responding and explaining the situation and I look forward to speaking with you soon with some recommendations for content which satisfies your requirements — and those of your attendees.  I’m convinced there’s plenty out there…

So, Alan, sometimes it’s worth a few altruistic exhales oh behalf of a secure humanity.   You never know, you might get back a breath of fresh air in return.

/Hoff

I sat staring at at my screen today with a squinty look in my eyes and a soured puss as my wife asked me why I looked so funny.  "Meh!" I replied tersely.

The real answer was that I was pondering a question asked by the title of a topical piece penned by CNET’s Matt Rosof which begged: "Watermarking to Replace DRM?"

I think the reason I looked so perturbed is that it was an overtly stupid innocent question given that it’s pretty obvious that watermarking won’t "replace" DRM, it is merely another accepted application of it.

It doesn’t take much to remember that the ‘M’ in ‘DRM’ stands for management.  Tracking how files move around is part of the M.  Why is this any different?  The point of monitoring anything is either to: (a) gather intelligence which can be used to (b) implement a control or effect a disposition based upon said intelligence.

It’s interesting that in many cases we risk giving up our ‘R’ but that’s a topic for a different post.

So here’s the premise of watermarking — something I think most of us understand:

So what’s watermarking? It’s the insertion of extra data into an audio
stream that can help identify where that audio came from. It’s not
enough to attach data to a digital audio file–users can just burn that
file to a CD and then re-rip it, changing the file format and stripping
off all the data associated with the original file. (This is also the
classic way users get around DRM.) Instead, the data is inserted into
the audio track itself. It’s inaudible to human ears, but detectible by
various other tools.

What I found interesting from a security and technology perspective was the following:

In the case of Universal, the watermarking data won’t identify each individual file–a
method that would allow the company to trace pirated files back to
their first purchaser. Instead, it will only identify the particular
song. Eventually, Universal will look at popular file-trading networks,
and see which of the DRM-free songs released through its experimental
program ended up on these networks.

Firstly, I don’t believe the first sentence.  Sorry, I’m a skeptic.  Secondly, this technology and its application isn’t new at all.  I have it on very, very good authority that existing technology has been used in this exact manner for the last several years by the RIAA in order to track and monitor P2P file swapping which includes audio.  It’s used by government and military operators, also.

How do you think those subpoenas get issued specifically against those 12 year old girls swapping Shakira MP3’s?  They can definitively link a specifically watermarked MP3 with the IP address of the downloader after it’s injected into the network and consumed…by using watermarking.

(Ed: Comments below by Jordan suggest that this practice is not used heavily.  I cannot dispute this assertion, but I maintain that the technology has been used in this manner.  See the comments for an interesting perspective.)

It’s the same technology used by DLP and DRM solutions in the enterprise today.  So, watermarking is just another means to the end.  Period.

This is the funny part of the story:

Universal can then use this data to
help decide whether the risk of piracy outweighs the increased sales
from DRM-free MP3 files, segmenting this decision by particular
markets. For example, it might find that new Top 40 singles are more
likely to find their way onto file-trading networks than classic rock
from the 1970s.

Sure it will… 😉  I feel all warm and fuzzy now.

/Hoff

* Picture Credit: CNET

{Ed: I have been informed, nay swatted, by one Mr. Newby, that I have incorrectly characterized JG’s actions as slander.  According to Rob (and the Oxford Dictionary — who by the way added Rachel Ray’s EVOO as an official f’ing "word" to their tome of wordage!) slander pertains to making a false spoken statement whilst libel is a false published statement.  Fine, supercalifragilisticslanderlibelocius it is then!}

Not since InfoSec Sellout was discovered to be none other than Dave Maynor’s pet goat have I been so shocked at the venom spewing forth from the bowels of the Blogosphere.

Jeremiah Grossman, famed XSS guru and tireless crusader for all things input-validated, has come unglued and lobbed slanderous libelous accusations against my person.

In fact, he suggests that I lobbed myself slanderously libelously against his person! 

I deny such allegations and offer forth righteous testimony that refutes these malicious tirades.   

Judge for yourself the callous and acerbic commentary as evidenced by Senor Frog’s vitriol in summary of his Blackhat/DEFCON experience here:

Side-channel conversations:
There was a good bit of chitchat about BJJ and MMA. A lot of people in
infosec train in various forms of martial arts. Makes sense I guess.
However, I was not prepared for Chris Hoff’s unprovoked attack. In the front of PURE Chris comes out of no where like the Blaire Witch, hugs me and says, “all I want to do is get in your butterfly guard big boy.“

…OBJECTION, your honor, calls for speculation.  Nobody’s actually ever *seen* Jeremiah’s butterfly guard.  I have it on good advice that he’s prone (pun intended) to being mounted and submits to the nearest blog or publisher.

Firstly, the so-called "attack" was hardly "unprovoked."  I have witnesses that will clearly
testify that Grossman, who obviously had a silver ticket entrance to
the Microsoft party, was flaunting his clearance at the entry of the
Pussycat Dolls Theater.  I, on the other hand, was without Mr. Wonka’s shimmering docket of admission. 

I think Mike Rothman
was standing there just as confused as I was. 🙂 Then later there was
talk about some Hacker MMA Smackdown event rumor I hadn’t heard about.
RSnake had and immediately said in his best Tyler Durden voice, “I’d fight Erik Birkholz.” I kid you not. Ask the Mozilla guys, there were there! Gotta be on guard at all times around these infosec guys, sheesh.

Secondly, Mr. Grossman conveniently left out the part wherein one Mr. Mogull confidently dared me to wet-willy the former.  The best I could do was a rushed and flacid (yes, I said flacid) suplex attempt.  PURE is where Chuck "the ICEMAN" Lidell holds his after-parties.  I was inspired by the moment.

Thirdly, Rothman is always confused.  Wait until you check out a picture of Rothman in his party attire…he caps of the ensemble with a pair of black socks and, jesus, Crocs…

Fourthly, I’d give odds on Birkholz.  Two years ago we had the same conversation at the bar @ RSA.  He can tie knots in cherry stems with his tongue.  RSnake, admit it, you’re just outgunned!

It’s all fun and games until someone loses an eEye.  Speaking of which…

What has the world come to?

/Hoff

So after finally making it to Vegas ( after 3 flight cancellations out of Logan) I got into my hotel room @ Caesar’s last night at around 2am in preparation for the week’s festivities at Blackhat and DEFCON.

This morning started out with Day Zero of Richard Bejtlich’s ("bate-lik" as he’s kind to remind you) TCP/IP Weapons School: Black Hat Edition.

What’s both sad and good about these classes is the reminder that the new attack vectors always seem to root back to old-school protocol tampering and the manipulation and application of attacks and exploits of vulnerabilities that still haven’t been mitigated.

The first half of the day has focused on good ol’ Layer-2 attacks; smashing the switch and the hosts attached for fun and…this works up the stack to more progressively evil layered attacks and abuse of all things holy.

Some folks might yawn at this approach, but Rich’s philosophy of starting with at the bottom and working up the stack reminds us of just how delicate the networks we take for granted still are.  There are many folks in this class that know a hell of a lot about attack/defend that still take some time answering questions as we go through the Wireshark protocol decodes.  It’s good mental gymnastics.  I’m way out of practice in some of this stuff.

To the topic of the blog entry at hand, we have about 60 guys and gals in this class and Rich organized a "lab" exercise that had 10 sets of "triplets" (sender, MITM attacker, recipient) participating in MITM attacks using Ettercap.

While I’m sure we’ve set no actual records (or perhaps we have!) it was fun to see how many people would disable the firewall rules on their laptops and subject themselves to intercept abuse 😉  The Hoff, however, remains entirely too paranoid to attach his machine to anything resembling a network here — despite the fact that it’s a bulletproof Mac 😉

It’s sad that Rich won’t be teaching this class anytime soon given his new job @ GE, because he’s a great instructor and his courses give a good balance of refresher, practical application of toolsets and in-depth protocol analysis all in one concise tidy package.

Thanks, Mr. B.

/Hoff