Rational Survivability

The last few days of activity involving Google and Microsoft have really catalyzed some thinking and demonstrated some very intriguing indicators as to how the delivery of applications and services is dramatically evolving. 

I don’t mean the warm and fuzzy marketing fluff.  I mean some real anchor technology investments by the big-boys putting their respective stakes in the ground as they invest hugely in redefining their business models to setup for the future.

Enterprises large and small are really starting to pay attention to the difference between infrastructure and architecture and this has a dramatic effect on the service providers and supply chain who interact with them.

It’s become quite obvious that there is huge business value associated with divorcing the need for "IT" to focus on physically instantiating and locating "applications" on "boxes" and instead  delivering "services" with the Internet/network as the virtualized delivery mechanism.

Google v. Microsoft – Let’s Get Ready to Rumble!

My last few posts on Google’s move to securely deliver a variety of applications and services represents the uplift of the "traditional" perspective of backoffice SaaS offerings such as Salesforce.com but also highlights the migration of desktop applications and utility services to the "cloud" also.

This is really executing on the vision of the thin-client Internet-centric vision from back in the day o’ the bubble when we saw a ton of Internet-borne services such as storage, backup, etc.  using the "InternetOS" as the canvas for service.

So we’ve talked about Google.  I maintain that their strategy is to ultimately take on Microsoft — including backoffice, utility and desktop applications.  So let’s look @ what the kids from Redmond are up to.

What Microsoft is developing towards with their vision of CloudOS was just recently expounded upon by one Mr. Ballmer.

Not wanting to lose mindshare or share of wallet, Microsoft is maneuvering to give the customer control over how they want to use applications and more importantly how they might be delivered.  Microsoft Live bridges the gap between the traditional desktop and puts that capability into the "cloud."

Let’s explore that a little:

In addition to making available its existing services, such as mail and
instant messaging, Microsoft also will create core infrastructure
services, such as storage and alerts, that developers can build on top
of. It’s a set of capabilities that have been referred to as a "Cloud OS," though it’s not a term Microsoft likes to use publicly.

…

Late last month, Microsoft introduced two new Windows Live Services,
one for sharing photos and the other for all types of files. While
those services are being offered directly by Microsoft today, they
represent the kinds of things that Microsoft is now promising will be
also made available to developers.

Among the other application and infrastructure components,
Microsoft plans to open are its systems for alerts, contact management,
communications (mail and messenger) and authentication.

…

As it works to build out the underlying core services, Microsoft is
also offering up applications to partners, such as Windows Live
Hotmail, Windows Live Messenger and the Spaces blogging tool.

Combine the emerging advent of "thinner" end-points (read: mobility products) with high-speed, lower latency connectivity and we can see why this model is attractive and viable.  I think this battle is heating up and the consumer will benefit.

A Practical Example of SaaS/InternetOS Today?

So if we take a step back from Google and Microsoft for a minute, let’s take a snapshot of how one might compose, provision, and deploy applications and data as a service using a similar model over the Internet with tools other than Live or GoogleGear.

Let me give you a real-world example — deliverable today — of this capability with a functional articulation of this strategy; on-demand services and applications provided via virtualized datacenter delivery architectures using the Internet as the transport.  I’m going to use a mashup of two technologies: Yahoo Pipes and 3tera’s AppLogic.

Yahoo Pipes is  "…an interactive data aggregator and manipulator that lets you mashup your favorite online data sources."  Assuming you have data from various sources you want to present an application environment such as Pipes will allow you to dynamically access, transform and present this information any way you see fit.

This means that you can create what amounts to application and services on demand. 

Let’s agree however that while you have the data integration/presentation layer, in many cases you would traditionally require a complex collection of infrastructure from which this source data is housed, accessed, maintained and secured. 

However, rather than worry about where and how the infrastructure is physically located, let’s use the notion of utility/grid computing to make available dynamically an on-demand architecture that is modular, reusable and flexible to make my service delivery a reality — using the Internet as a transport.

Enter 3Tera’s AppLogic:

3Tera’s AppLogic is used by hosting providers to offer true utility computing. You get all the control of having your own virtual datacenter, but without the need to operate a single server.

Deploy and operate applications in your own virtual private datacenter

Set up infrastructure, deploy apps and manage operations with just a browser    
Scale from a fraction of a server to hundreds of servers in days

Deploy and run any Linux software without modifications

Get your life back: no more late night rushes to replace failed equipment

In fact, BT is using them as part of the 21CN project which I’ve written about many times before.

So check out this vision, assuming the InternetOS as a transport.  It’s the drag-and-drop, point-and-click Metaverse of virtualized application and data combined with on-demand infrastructure.

You first define the logical service composition and provisioning through 3Tera with a visual drag-drop canvas, defining firewalls, load-balancers, switches, web servers, app. servers, databases, etc.  Then you click the "Go" button.  AppLogic provisions the entire thing for you without you even necessarily knowing where these assets are.

Then, use something like Pipes to articulate how data sources can be accessed, consumed and transformed to deliver the requisite results.  All over the Internet, transparent to you securely.

Very cool stuff.

Here are some screen-caps of Pipes and 3Tera.

Y
esterday’s post regarding my prognostication of the Google/Postini M&A activity yielded a ton of off-line feedback/opinion/queries.  I had three press/analyst calls yesterday on my opinion, so either I’m tickling somebody’s interest funny bone or I’m horribly wrong 😉

Either way, Alan Shimel piped up today with his perspective.  It’s not often I disagree with Alan, but the root of his comment leaves me puzzled.  Alan said:

I do not think that Google’s acquisition of Postini is a shot across
the bow of Microsoft.  I think Google goes about its business of
delivering on its vision.  I think its vision is rather simple really.
Google believes that the future belongs to Software as a Service
(SaaS).  As part of their SaaS strategy, they need to secure their web
based apps, as well as offer security as a service.  This is not really
much different than Microsofts "Live" program, also a Software as a
Service play.  That is where the competition is.

It appears that Alan’s really re-stating what I said yesterday regarding SaaS and especially as I highlighted the security aspects thereof, but his statements are strangely contradictory in the scope of this single paragraph.

To wit, if Google is indeed focused on SSaaS (Secure Software as a Service) and they’re looking to displace at least for certain markets traditional "Office" applications which are Microsoft’s cash cow ($12B business?) how is this not a "shot across the bow of Microsoft?"

Further, if Microsoft is engaging in SaaS with Live, then it further underscores the direct competitive model that demonstrates that Microsoft (et al.) are firmly in the target hairs.

What am I missing here?

/Hoff

(EDIT: Added a link to an interview I did with TheStreet.com here.)

Not to single out Jeremiah, but in my Take5 interview with him, I asked him the following:

3) What do you make of Google’s foray into security?  We’ve seen them crawl sites and index malware.  They’ve launched a security  blog.  They acquired GreenBorder.  Do you see them as an emerging force to be reckoned with in the security space?

…to which he responded:

I doubt Google has plans to make this a direct revenue generating  exercise. They are a platform for advertising, not a security company. The plan is probably to use the malware/solution research  for building in better security in Google Toolbar for their users.  That would seem to make the most sense. Google could monitor a user’s  surfing habits and protect them from their search results at the same time.

To be fair, this was a loaded question because my opinion is diametrically opposed to his.   I believe Google *is* entering the security space and will do so in many vectors and it *will* be revenue generating. 

This morning’s news that Google is acquiring Postini for $625 Million dollars doesn’t surprise me at all and I believe it proves the point. 

In fact, I reckon that in the long term we’ll see the evolution of the Google Toolbar morph into a much more intelligent and rich client-side security application proxy service whereby Google actually utilizes client-side security of the Toolbar paired with the GreenBorder browsing environment and tunnel/proxy all outgoing requests to GooglePOPs.

Google will, in fact, become a monster ASP.  Note that I said ASP and not ISP.  ISP is a commoditized function.  Serving applications and content as close to the user as possible is fantastic.  So pair all the client side goodness with security functions AND add GoogleApps and you’ve got what amounts to a thin client version of the Internet.

Remember all those large sealed shipping containers (not unlike Sun’s Project Blackbox) that Google is rumored to place strategically around the world — in conjunction with their mega datacenters?  I think it was Cringley who talked about this back in 2005:

In one of Google’s underground parking garages in Mountain View …
in a secret area off-limits even to regular GoogleFolk, is a shipping
container. But it isn’t just any shipping container. This shipping
container is a prototype data center.

Google hired a pair of
very bright industrial designers to figure out how to cram the greatest
number of CPUs, the most storage, memory and power support into a 20-
or 40-foot box. We’re talking about 5000 Opteron processors and 3.5
petabytes of disk storage that can be dropped-off overnight by a
tractor-trailer rig.

The idea is to plant one of these puppies
anywhere Google owns access to fiber, basically turning the entire
Internet into a giant processing and storage grid.

Imagine that.  Buy a ton of dark fiber, sprout hundreds of these PortaPOPs/GooglePOPs and you’ve got the Internet v3.0

Existing transit folks that aren’t Yahoo/MSN will ultimately yield to the model because it will reduce their costs for service and they will basically pay Google to lease these services for resale back to their customers (with re-branding?) without the need to pay for all the expensive backhaul.

Your Internet will be served out of cache…"securely."  So now instead of just harvesting your search queries, Google will have intimate knowledge of ALL of your browsing — scratch that — all of your network-based activity.   This will provide for not only much more targeted ads, but also the potential for ad insertion, traffic prioritization to preferred Google advertisers all the while offering "protection" to the consumer.

SMB’s and the average Joe consumers will be the first to embrace this
as cost-based S^2aaS (Secure Software as a Service) becomes mainstream
and this will then yield a trickle-up to the Enterprise and service
providers as demand will pressure them into providing like levels of service…for free.

It’s not all scary, but think about it…

Akamai ought to be worried.  Yahoo and MSN should be worried.  The ISP’s of the world investing in clean pipes technologies ought to be worried (I’ve blogged about Clean Pipes here.)

Should you be worried?  Methinks the privacy elements of all this will spur some very interesting discussions.

Talk amongst yourselves.

/Hoff

(Didn’t see Newby’s post here prior to writing this…good on-topic commentary.  Dennis Fisher over at the SearchSecurity Blog has an interesting Microsoft == Google perspective.)

This fourth instance of Take 5 interviews Shlomo Kramer, Founder and CEO of Imperva.

First a little background on the victim:

In 2006, Shlomo Kramer was selected by Network World magazine as one of 20 luminaries who changed the network industry.

Prior
to founding Imperva, Mr. Kramer co-founded Check Point Software
Technologies Ltd. in 1993. At Check Point, he served in various
executive roles through 1998 and as a member of the board of directors
through 2003. While at Check Point, Mr. Kramer played a key role in
defining and creating several category-defining products and solutions,
including FireWall-1, VPN-1, FloodGate-1, Check Point’s OPSEC alliance,
and Check Point’s security appliance program.

Mr. Kramer has
participated as an early investor and board member in a number of
security and enterprise software companies including Palo Alto
Networks, Serendipity Technologies, and Trusteer. Mr. Kramer received a
Masters degree in Computer Science from Hebrew University of Jerusalem
and a Bachelor of Science degree in Mathematics and Computer Science
from Tel Aviv University.

Questions:

1) As most people know, you are a co-founder of Check Point and the CEO of Imperva.  You’re a serial entrepreneur who has made a career of bringing innovation to the security market.  What are you working on now that is new and exciting?

All my time has been devoted in the last few years to Imperva. This project continues to excite me. After five years of hard work, it is very rewarding to see Imperva being recognized as the leader in application data security and compliance. Imperva delivers data governance and protection solutions for monitoring, audit, and security of business applications and databases. This is really a hot issue for organizations given the new threat landscape, regulations such as PCI and SOX and the ever increasing privacy legislation. I have always believed what we do at Imperva will define a new product category and the last couple of years have been a big step towards that.

I am also involved as an investor and board member in a number of other great security startups.  One example is Palo Alto Networks (www.paloaltonetworks.com), a next-generation firewall company. Their products provide full visibility and policy control over applications across all ports, all protocols, all the time–with no performance degradation. We’ve just launched the company, it’s an exciting time for Palo Alto Networks.

Another great company I am involved with is Trusteer (www.trusteer.com). Trusteer addresses the critical problem of protecting on-line transaction. Trusteer came up with a revolutionary way to protect online business from any "client-side" identity threat such as phishing, pharming, and crimeware. Helping business strengthen consumer trust, reduce costs, and differentiate online services is a big challenge and Trusteer has a very interesting and unique solution.

2) So tell us more about Palo Alto Networks on whose Board you sit.   The company has assembled an absolutely amazing group of heavy hitters from industry.  Either you’ve already got the company sold to Cisco and everyone’s signing on for the options or this is really going to be huge.  What’s so different  about what PAN is doing?

Existing firewalls are based on Stateful Inspection, which employs a port and protocol approach to traffic classification. The problem existing firewall vendors face is the fact that much of their core technology (Stateful Inspection) is over a dozen years old and new applications have found a variety of ways to evade or bypass them with relative ease. Attempts to fix the problem by firewall vendors include ‘bolting-on’ Intrusion Prevention (IPS) or Deep Packet Inspection as an additional feature have proven unsuccessful, resulting in significant issues with accuracy, performance and management complexity.

Starting with a blank slate, the Palo Alto Networks founders took an application-centric approach to traffic classification thereby enabling visibility into-and control over-Internet applications running on enterprise networks. The PA-4000 Series is a next-generation firewall that classifies traffic based on the accurate identification of the application, irrespective of the port, protocol, SSL encryption or evasive tactic used.

3) Having been an early adopter of Check Point, Imperva, Vidius, Skybox, Sanctum, etc. I clued in long ago to the power of the Israeli influence in the security industry.   Why are so many of the market leading technologies coming out of Israel? What’s in the water over there?

Really the start was with IDF based incubation of security know-how some 20 years ago. That for sure has been the case when we started Check Point. Over the years, an independent security community has emerged and by now it is very much a self perpetuating eco-system. I am very proud of being one of the founders not only of Check Point and Imperva but also of this broader Israeli security community.

4) We haven’t had a big worm outbreak in the last couple of years and some would argue it’s quiet out there. While identity theft leads the headlines these days, what’s the silent killer lurking in the background that people aren’t talking  about in the security industry?

When we started Imperva in 2002, security was all about worms – it was about a “my attack is bigger than yours” hacker mentality. We believed that future threats would be different and would be focused on targeted attacks.  We placed a bet that the motive of hackers would shift from ego to profit.  We’ve definitely seen that trend materialize over the last couple of years. On the server side, 50% of data leakage involves SQL-injection attacks and XSS is increasingly a leading threat, especially with the added complexity of Web 2.0 applications. Additionally, on the client side we are seeing many more targeted attacks, all the way down to the specific brokerage and on-line banking system you are using. The crimeware infecting your laptop cannot be addressed by a generic, negative logic solution, like anti-virus or anti-spyware, nor will strong authentication help circumvent its malice.
These targeted attacks on business data and on-line transactions are the focus of both Imperva and Trusteer. Imperva focuses on the server side of the transaction while Trusteer focuses on the client side.

5) With Imperva, you’re in the Web Application Security business.  What’s your take on the recent acquisitions by IBM and HP and how they are approaching the problem.  For companies whose core competencies are not focused on security, will this sort of activity really serve the interest of the customer of is it just opportunism?

Just to clarify, Imperva is actually in the application data security and compliance business, a major component of which is Web application security.  Securing databases and big enterprise applications are also part of that picture, as well as addressing regulatory mandates around data usage.  It’s all interrelated.

I think the moves by HP & IBM validate a general trend that we at Imperva have been evangelizing for some time — that application security is a huge issue, and we as an industry really need to get serious about protecting business applications and data.

I would argue that they won’t solve application security and compliance issues with these acquisitions alone.  The reason is that these solutions are only scratching the surface of the issues.  For one, most organizations use packaged applications and don’t have access to modify the source code to fix the issues they might find.  And lots of organizations take a long time to fix code errors even if they do have the capability to modify the code.  This argues for an independent mechanism to implement protections outside the code development / fix process. 

But the larger issue is scope – the data that organizations ultimately want to protect usually lives in a database and is accessed by a variety of mechanisms –applications are one, but direct access by internal users and other internal systems is another huge area of risk.  So addressing only one part of the application’s relationship to this data is not enough.  In my opinion, addressing the whole application data system is ultimately the way to address the core application and data security issue.

Over the last couple of years, we’ve seen the full spectrum of disclosure and "research" portals arrive on scene; examples stem from the Malware Distribution Project to 3Com/TippingPoint’s Zero Day Initiative.  Both of these examples illustrate ways of monetizing the output trade of vulnerability research.   

Good, bad or indifferent, one would be blind not to recognize that these services are changing the landscape of vulnerability research and pushing the limits which define "responsible disclosure."

It was only a matter of time until we saw the mainstream commercial emergence of the open vulnerability auction which is just another play on the already contentious marketing efforts blurring the lines between responsible disclosure for purely "altruistic" reasons versus commercial gain.

Enter Wabisabilabi, the eBay of Zero Day vulnerabilities.   

This auction marketplace for vulnerabilities is marketed as a Swiss "…Laboratory & Marketplace Platform for Information Technology Security" which "…helps customers defend their databases, IT infrastructure, network, computers, applications, Internet offerings and access."

Despite a name which sounds like Mushmouth from Fat Albert created it (it’s Japanese in origin, according to the website) I am intrigued by this concept and whether or not it will take off.

I am, however, a little unclear on how customers are able to purchase a vulnerability and then become more secure in defending their assets. 

A vulnerability without an exploit, some might suggest, is not a vulnerability at all — or at least it poses little temporal risk.  This is a fundamental debate of the definition of a Zero-Day vulnerability. 

Further, a vulnerability that has a corresponding exploit but without a countermeasure (patch, signature, etc.) is potentially just as useless to a customer if you have no way of protecting yourself.

If you can’t manufacture a countermeasure, even if you hoard the vulnerability and/or exploit, how is that protection?  I suggest it’s just delaying the inevitable.

I am wondering how long until we see the corresponding auctioning off of the exploit and/or countermeasure?  Perhaps by the same party that purchased the vulnerability in the first place?

Today in the closed loop subscription services offered by vendors who buy vulnerabilities, the subscribing customer gets the benefit of protection against a threat that they may not even know they have, but for those who can’t or won’t pony up the money for this sort of subscription (which is usually tied to owning a corresponding piece of hardware to enforce it,) there exists a point in time between when the vulnerability is published and when it this knowledge is made available universally.

Depending upon this delta, these services may be doing more harm than good to the greater populous.

In fact, Dave G. over at Matasano argues quite rightly that by publishing even the basic details of a vulnerability that "researchers" will be able to more efficiently locate the chunks of code wherein the vulnerability exists and release this information publicly — code that was previously not known to even have a vulnerability.

Each of these example vulnerability service offerings describes how the vulnerabilities are kept away from the "bad guys" by qualifying their intentions based upon the ability to pay for access to the malicious code (we all know that criminals are poor, right?)  Here’s what the Malware Distribution Project describes as the gatekeeper function:

Why Pay?

Easy; it keeps most, if not all of the malicious intent, outside the
gates. While we understand that it may be frustrating to some people
with the right intentions not allowed access to MD:Pro, you have to
remember that there are a lot of people out there who want to get
access to malware for malicious purposes. You can’t be responsible on
one hand, and give open access to everybody on the other, knowing that
there will be people with expressly malicious intentions in that group.

ZDI suggests that by not reselling the vulnerabilities but rather protecting their customers and ultimately releasing the code to other vendors, they are giving back:

The Zero Day Initiative (ZDI) is unique in how the acquired
vulnerability information is used. 3Com does not re-sell the
vulnerability details or any exploit code. Instead, upon notifying the
affected product vendor, 3Com provides its customers with zero day
protection through its intrusion prevention technology. Furthermore,
with the altruistic aim of helping to secure a broader user base, 3Com
later provides this vulnerability information confidentially to
security vendors (including competitors) who have a vulnerability
protection or mitigation product.

As if you haven’t caught on yet, it’s all about the Benjamins. 

We’ve seen the arguments ensue regarding third party patching.  I think that this segment will heat up because in many cases it’s going to be the fastest route to protecting oneself from these rapidly emerging vulnerabilities you didn’t know you had.

/Hoff

Joanna Rutkowska of "Invisible Things" Blue Pill Hypervisor rootkit fame has a problem.  It’s about 6 foot+ something, dresses in all black and knows how to throw down both in prose and in practice.

Joanna and crew maintain that they have the roughed-out prototype that supports their assertion that their HyperJacking malware is undetectable.  Ptacek and his merry band of Exploit-illuminati find this a hard pill to swallow and reckon they have a detector that can detect the "undetectable."

They intend to prove it.  This is awesome!  It’s like the Jackson/Lidell UFC fight.  You don’t really know who to "root" for, you just want to be witness to the ensuing carnage!

We’ve got a stare down.  Ptacek and crew have issued a challenge that they expect — with or without Joanna’s participation — to demonstrate successfully at BlackHat Vegas:

Joanna, we respectfully request terms under which you’d agree to an
“undetectable rootkit detection challenge”. We’ll concede almost
anything reasonable; we want the same access to the
(possibly-)infected machine than any antivirus software would get.

The backstory:

• Dino Dai Zovi, under Matasano colors,
  presented a hypervisor rootkit (“Vitriol”) for Intel’s VT-X extensions at Black Hat last year,
  at the same time as Joanna presented BluePill for AMD’d SVM.

• We concede: Joanna’s rootkit is coolor than ours. I particularly
  liked using the debug registers to grab network traffic out of
  the drivers. We stopped weaponizing Vitriol.

• Peter Ferrie, the Symantec branch of our Black Hat team, releases
  a kick-ass paper on hypervisor detection. Peter’s focus is
  on fingerprinting software hypervisors (like VMWare), but he also
  comes up with a clever way to detect hardware virtualization.

• Nate Lawson, Dino, and I are, simultaneously, working on hardware
  rootkit detection techniques.

• Nate, Peter, Dino, and I join up to defend our thesis at Black
  Hat: if you surreptitiously “hyperjack” an OS, enabling hardware
  virtualization (or replacing or infecting an existing hypervisor),
  you introduce so many subtle changes in system behavior —- timing
  and otherwise —- that you’re bound to be detectable.

…and Joanna respondeth, signaling her "readiness" and conditions for the acceptance of said challenge:

Thomas Ptacek and company just came up with this funny challenge to test our Blue Pill rootkit. And, needles to say, the Invisible Things Lab team is ready to take their challenge, however with some additional requirements, that would assure the fairness of the contest.

First,
we believe that 2 machines are definitely not enough, because the
chance of correct guess, using a completely random (read: unreliable)
detection method is 50%. Thus we think that the reasonable number is 5
machines. Each of them could be in a state 0 or 1bluepill.exe and bluepill.sys

The .sys
file is digitally signed, so it loads without any problem (we could use
one of our methods for loading unsigned code on vista that we’re
planning to demonstrate at BH, but this is not part of the challenge,
so we will use the official way).

The bluepill.exe takes one argument which is 0 or 1. If it’s 1 it loads the driver and infects the machines. If it’s 0 it also loads the driver, but the driver does not infect the machine.

So, on each of the 5 machines we run bluepill.exe with randomly chosen argument, being 0 or 1. We make sure that at least one machine is not infected and that at least one machine is infected.

After that the detection team runs their detector.exe executable on each machine. This program can not take any arguments and must return only one value: 0 or 1. It must act autonomously — no human assistance when interpreting the results.

The goal of the detection team is to correctly mark each machine as either being infected (1) or not (0). The chance of a blind guess is:

(i.e. infected or not). On each of this machines we install two files:

1/(2^5-2) = 3%

The
detector can not cause system crash or halt the machine — if it does
they lose. The detector can not consume significant amount of CPU time
(say > 90%) for more then, say 1 sec. If it does, then it’s
considered disturbing for the user and thus unpractical.

The
source code of our rootkit as well as the detector should be provided
to the judges at the beginning of the contests. The judges will compile
the rootkit and the detector and will copy the resulting binaries to
all test machines.

After the completion of the contest,
regardless of who wins, the sources for both the rootkit and the
detector will be published in the Internet — for educational purpose
to allow others to research this subject.

Our current Blue Pill
has been in the development for only about 2 months (please note that
we do not have rights to use the previous version developed for
COSEINC) and it is more of a prototype, with primary use for our training in Vegas,
rather then a "commercial grade rootkit". Obviously we will be
discussing all the limitations of this prototype during our training.
We believe that we would need about 6 months full-time work by 2 people
to turn it into such a commercial grade creature that would win the
contest described above. We’re ready to do this, but we expect that
somebody compensate us for the time spent on this work. We would expect
an industry standard fee for this work, which we estimate to be $200
USD per hour per person.

If Thomas Ptacek and his colleges are
so certain that they found a panacea for virtualization based malware,
then I’m sure that they will be able to find sponsors willing to
financially support this challenge.

As a side note, the description for our new talk for Black Hat Vegas has just been published yesterday.

So, if you get past the polynomial math, the boolean logic expressions, and the fact that she considers this challenge "funny," reading between the HyperLines, you’ll extract the following:

1. The Invisible Things team has asserted for some time that their rootkit is 100% undetectable
2. They’ve worked for quite sometime on their prototype, however it’s not "commercial grade"
3. In order to ensure success in winning the competition and thus proving the assertion, they need to invest time in polishing the rootkit
4. They need 5 laptops to statistically smooth the curve
5. The Detector can’t impact performance of the test subjects
6. All works will be Open Sourced at the conclusion of the challenge
   (Perhaps Alan Shimel can help here! 😉 ) and, oh, yeah…
7. They have no problem doing this, but someone needs to come up with $416,000 to subsidize the effort to prove what has already been promoted as fact

That last requirement is, um, unique.

Nate Lawson, one of the challengers, is less than impressed with this codicil and respectfully summarizes:

The final requirement is not surprising. She claims she has put four
person-months work into the current Blue Pill and it would require
twelve more person-months for her to be confident she could win the
challenge. Additionally, she has all the experience of developing Blue
Pill for the entire previous year.

We’ve put about one person-month into our detector software and have
not been paid a cent to work on it. However, we’re confident even this
minimal detector can succeed, hence the challenge. Our Blackhat talk
will describe the fundamental principles that give the detector the
advantage.

If Joanna’s time estimate is correct, it’s about 16 times harder to
build a hypervisor rootkit than to detect it. I’d say that supports our
findings.

I’m not really too clear on Nate’s last sentence as I didn’t major in logic in high school, but to be fair, this doesn’t actually discredit Joanna’s assertion; she didn’t say it wasn’t difficult to detect HV rootkits, she said it was impossible. Effort and possibility are mutually exclusive.

This is going to be fun.  Can’t wait to see it @ BlackHat.

See you there!

/Hoff

Read more…

The location is far from classified; the Grand Visconti Palace in Milan Italy.  It’s a dirty job, but someone’s got to do it.  This is the nasty stuff though…the wet work. 

This is the stuff nobody else wants to do.  Even talking about it is painful.  Talking about it is what we’re trained NOT to do.  But I’m alone.  There’s noone coming for me.  This could be it.

I’m holed up in my hotel room on this assignment, awaiting extraction.  I’m fifty clicks from the LZ, the transpo isn’t due for another 6 hours.  Radio silence.

I knew that when I took the job that it meant lonely, dangerous work.  It’s 01:18am here now.  I’m delirious after an aggravating lack of sleep. 

My mission grinds on against the backdrop of reveling Italian supermodels drunk in the streets below, the enticing aromas of tagliatelle that permeates the very fabric of this country, and what can only be described as the Roman Jerry Spring(ieri) show bellowing through the thin walls of my room from the reveling assclowns next door.

I can’t sleep.  I mustn’t.  I want to, and I strain against the overbearing slabs of concrete that my eyelids have become.  Must.  Hang.  On.

It’s not because of the supermodels, the pasta or the Jerry special on midget tossing.  No, I can’t sleep because I am subject to the relentless onslaught of an attack as a direct counter-response to my bug hunting activities.   

This is where all the training pays off.  This is where intuition takes over.  Fear has no place in my world.  I will shed blood.  Some of it mine.  But I shall hold fast and like those from Rome and Sparta before me, I will emerge triumphant.

I am wounded.  I want to scrape away the pain but the more that I do, the worse it becomes.  My very soul itches.

The heat is unbearable.  The sweat drips into my eyes. I must focus.  I practice Tai Chi to center myself and prepare for what is assuredly coming.

My foe is an intelligent adversary.  In light and dark, he appears from stealth taking quick swaths at me; feeling me out for just how far I will go to defend against attack; my reach, my skill, my will.  He is lightning quick.  No warning until it is too late. 

The attack comes.  That sound that drills into my psyche.  It taunts me.  It mocks me.  The inevitable pain delivered again. Can’t.  See.

I must take action.  My body takes over.  The will to defend is overwhelming.  I stab the air.  Kicking, screaming, smacking. 

Slapping. 

Myself. 

I’ve poked myself in the eye with my thumb and backhanded my skull as I valiantly deflect the attack.  I try to hide under the cover of whatever I can shield myself with.  Furniture.  Bedding.  Pellegrino bottles.  I take evasive maneuvers.  Why won’t he stop!?  The pain of anticipation is worse than the wounds themselves.

I flashback to training.  Fight stealth with stealth.  I’ll wait for his recon; look for the flash and strike.  Must.  Seek.  Cover.

Should I wait it out in the closet — maybe the bathroom?

He’s coming again.  Relentless.  He appears, cloaked in deception and disdain.  Then, like that, he disappears.  I scratch at phantom wounds that aren’t there.  That sound!  Make it stop!

Ripping through the air; wildly grasping for swaths of atmosphere…hoping to grab hold of…something in the dark.  And squash it.  Die!

I want to deliver death swiftly.  Mercilessly.  Over and over again.  Uncaring, nasty, excruciating death.  Now.  This has gone on for hours.  I need to sleep.

But it is not to be.  I will be tormented all night until I can leave this hellhole and find solace in the airport awaiting the ride home.

I am now laying in my bathtub where it is safe.  The fan is on, Macbook Pro on my lap, wirelessly connected.  My only lifeline to the world.  To you.

My enemy cannot reach me here.  Perhaps he will retreat and try to strike again later.

F’ing Mosquitoes!

/Hoff

This third instance of Take 5 interviews Jeremiah Grossman, Founder & CTO of Whitehat Security.

First a little background on the victim:

Jeremiah Grossman is the founder and CTO of WhiteHat Security,
considered a world-renowned expert in Web security, co-founder of the
Web Application Security Consortium, and recently named to
InfoWorld’s Top 25 CTOs for 2007.  Mr. Grossman is a frequent speaker
at industry events including the BlackHat Briefings, ISACA, CSI,
OWASP, Vanguard, ISSA, OWASP, Defcon, etc.  He has authored of dozens
of articles and white papers, credited with the discovery of many
cutting-edge attack and defensive techniques, and co-author of XSS
Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC  Magazine, SecurityFocus, C-Net, SC Magazine, CSO, and InformationWeek.  Prior to WhiteHat he was an information security officer at Yahoo!

Here is Jeremiah’s blog and a new book on XSS that he co-authored.

Questions:

1) You’re probably best known for your work on JavaScript attacks,
XSS, and CSRF.  This stuff is such a mess and represents an
insidious vector for attack.  Do you think we’re ever going to be
able to get this genie back in the bottle or are we totally screwed?

Fortunately the Web the will hum along and adapt no matter how bad
the "hacker attacks" get. We know XSS and CSRF vulnerabilities are
everywhere, but the bigger problem is we don’t know exactly where
they ALL are. This is what makes the problem really hard to solve.
Short of an entire rewrite of THE WEB, we’re going to be stuck with
XSS, CSRF, and two dozen other issues for many years to come. Though
as websites are revamped with new development frameworks for business
reasons we’ll see security improve naturally.

2) Your days of securing hundreds of websites at Yahoo set the
stage for what you do today.

Yah, I left the behemoth portal and now I find myself responsible for
helping to secure more websites than ever!  🙂

What elements of today’s emerging security problems that you are
working on do you think will become another area of focus for you
in the long term.

At WhiteHat we’re delivering website vulnerability assessment (VA) on
an unprecedented scale. This is important because companies need to
constantly monitor the security of ALL their websites ALL the time.
Prior to WhiteHat the best a company could do were annual audits only
affordable on a select few websites. As websites change this process
clearly doesn’t work and the number of incidents and vulnerability
prevalence are prime indicators. We need to be able to assess
hundreds, thousands, tens of thousands of the worlds largest and most
important websites no matter how big or how often they change. This
insight will provide intelligence we need to start solving the problem.

The second phase is figuring how to “fix” the problem and prevent new
vulnerabilities from cropping up in the first place. Security inside
the SDLC has been talked about a lot and will improve software
security in the long run. In the mean time, there are a ton of
websites and even more vulnerabilities where relief is required
between now and then. Web application firewalls are a likely option.
What I’d like to see is tight integration between VA solutions and
WAF devices. Since VA knows the specific type and location of
vulnerabilities in a website technically they could communicate a
highly accurate rule or “virtual patch” to a WAF and block any
incoming attacks. This would provide security professionals more
control over the security of a websites and developers time to
address the problem.

3) What do you make of Google’s foray into security?  We’ve seen
them crawl sites and index malware.  They’ve launched a security
blog.  They acquired GreenBorder.  Do you see them as an emerging
force to be reckoned with in the security space?

I doubt Google has plans to make this a direct revenue generating
exercise. They are a platform for advertising, not a security
company. The plan is probably to use the malware/solution research
for building in better security in Google Toolbar for their users.
That would seem to make the most sense. Google could monitor a user’s
surfing habits and protect them from their search results at the same
time.

4) You recently participated in the CSI working group’s on Web
Security Research Law in which you and other experts toiled over
the legal and ethical elements of web security vulnerability and
disclosure. Given the report’s outcome of more questions than
answers, where do you stand personally on the issue of disclosure?

My personal actions probably won’t change much. I’ve been in the non-
disclosure camp for a while, unless I had a personal relationship
with the company. What has changed is my understanding on the
legalities of website vulnerability discovery. Apparently there is NO
clear-cut guidance as to what security researchers (in the US) are
legally allowed to do or not do. Once the website owner complains to
law enforcement it could quickly become a nightmare for the
researcher no matter how pure their intentions. So the unfortunate
consequence of all this will be the “good guys” will tend to stop
looking, and more importantly stop disclosing, while the bad guys get
the run of the place no matter what anyway. The net effect is bad for
website security and the consumer. Welcome to Web 2.0.

5) So you practice Jiu Jitsu in competition, you play Aussie Rules
Football (in *real* countries like NZ, we play Rugby…) and you
make the Internet safe for women and children.  Death wish,
misplaced angst or ADD?

And you say I have a death wish! I dare you to say those words on the
pitch in front of the Aussies. 🙂  Anyway, I’ve NEVER been accused of
having ADD, if anything too focused. I tend to enjoy extreme sports
and keep myself very busy, part of my personality. Unsolvable
problems are the other thing that are attractive to me. Glutton for
punishment. 🙂

An entire day and forum dedicated to NAC in the NYC?  Huh.  I thought we did that at InterOp and RSA already!?  I suppose it’s necessary to wade through all the, uh, information surrounding the second coming of network security.

If someone builds one for UTM, I will kill myself.   

Oh NAC…I wish I knew how to quit you!

(I was going to photoshop the poster to the left including Alan Shimel and changing the title to BrokeNAC Mountain, but I can’t find my Photoshop CD and I’ve got a plane to catch to Milan…)

I’ve made it clear that I think NAC (Network Admission Control and Network Access Control) is valuable and worth investing in as part of a layered defense.  It ain’t the silver bullet of security, however.  Maybe Stiennon can come up with a new name for it and it will be?

I’ve also made it clear that despite the biggest amount of hype since the Furby, NAC will become a feature as part of a conglomeration of solutions in the short term (24 months); it already is a replacement blanket marketing term for companies that used to be SSL VPN’s that then became IPS’s that are now NAC.  Look at the companies that now claim they’re NAC-focused.  That’s usually because the "market" they were in previously collapsed — just like NAC will.

It seems that NAC’s relationship with the world plays out just like a scene from Brokeback Mountain where the two main characters discuss whether the public sees through the thin facade of the uneasy relationship they project to the world — just like the front NAC puts on:

Ennis Del Mar:
You ever get the feelin’… I don’t know, er… when you’re in town and
someone looks at you all suspicious, like he knows? And then you go out
on the pavement and everyone looks like they know too?
Jack Twist:
[Casually] Well… maybe you oughta get out of there, you know? Find yourself someplace different. Maybe Texas.

Ennis Del Mar:
[Sarcastically]
Texas? Sure, maybe you can convince Alma to let you and Lureen to adopt
the girls. And we can just live together herding sheep. And it’ll rain
money from LD Newsome and whiskey’ll flow in the streams – Jack, that’s
real smart.
Jack Twist:
Go to hell, Ennis. If you wanna live your miserable fuckin’ life, then go right ahead.

Ennis Del Mar:
Fine.

Jack Twist:
I was just thinkin’ out loud.

Ennis Del Mar:
Yep, you’re a real thinker there. Goddamn. Jack fuckin’ Twist; got it all figured out, ain’t ya?

If the next NAC Forum is held in Texas, you’ll know the end of the world is near…’course there ain’t nuthin’ wrong with the heavens rainin’ money and streams full-a whiskey…

At any rate, I was catching up on my back-dated blog entries and just read Dom Wilde’s (Nevis Networks  Illuminiations Blog) summary of the Network Computing NAC 2007 Forum and couldn’t help but chuckle.  Shimel’s review seemed a little more upbeat compared to Dom’s, but since Alan got stalked by a blogger paparazzi in a three-wheeled, pedal-powered rickshaw, I can see why.

Snippet Summary from Dom’s Post:

It’s little wonder that people are confused about NAC.  Too many times
during the day I found myself with a furrowed brow trying delineate
between reality and fiction…Disappointing moment of the day – 7 panelists on the OOB panel frying
the audience’s collective brain, by taking 10 minutes each to say "me
too".  Result: half the audience didn’t return after lunch for more
lively and concise discussions on in-line and framework based
solutions, and more critically, to hear narratives and lessons learned
from people who have deployed NAC.

Snippet Summary from Alan’s Post:

Anyway, it was a great way for people looking at deploying NAC to come
up and touch and feed a real live NAC vendor. Ultimately, you still
have to install the product and play with it yourself to see if it
works.  There were lots of claims and NAC crap flying today.  I also
would like to see more of a panel of answering questions then just
giving our elevator pitch powerpoints to the crowd.  Still a worthwhile
day and a good job by Network Computing. I think all of the elevator
pitches will be posted on NC site soon.

Sounds great.

Both Dom and Alan’s companies provide NAC solutions.  Both were at the show.  Both seem to convey the sense that this was more circus than it was scholarly.  I’m not sure that’s because it was focused on NAC or because in general most conferences/forums are completely useless, but I’m interested in anyone else’s opinion from those what where there.

/Hoff

This second instance of Take 5 interviews Marcus Ranum.  Yep, no shit.

First a little background on the victim, Marcus Ranum, in his own words:

I don’t know how to describe myself, anymore. At this point I have held every job you can hold in the security industry – from system administrator to coder, engineering team leader, product manager, product marketing, CSO, CTO, and CEO, industry analyst, teacher, and consultant. If I got to choose which of those I’d rather you thought of me as, it’d be teacher.

Back in the early 90s I did a lot with developing firewalls, and designed and coded the DEC SEAL and TIS Firewall Toolkit – both of which were pretty popular and ground-breaking in their time. I also founded one of the early IDS start-ups, Network Flight Recorder (recently bought by Checkpoint) and served as CEO there for 4 years.Today, I am the CSO of Tenable Network Security – the company that produces a the Nessus vulnerability scanner and a suite of security management tools. I live in the wilds of Pennsylvania with 2 huge dogs, 2 horses, and about 18 cats, and spend my spare time doing photography, farming, and too much other stuff to list.

1. Let’s get this out of the way first…The Security Industry vs. Marcus Ranum…Why so grumpy or are you just misunderstood?

I don’t understand! Does the security industry disagree with me? What, are they, stupid?

Just kidding. I’m grumpy – and justifiably so – because, like many security people, I’ve noticed that if you work really hard to organize your thinking about security so that it becomes clear – your good advice will be completely ignored anyhow. Many of the problems that we encounter all over the place today are just instances of the same problems that smarter people than myself predicted we’d have in the early 1980’s.

So, I see the industry as dangerously out of step with its constituents. Remember: this is about protecting real people against real bad things. It’s not a theoretical game. I get really pissed off when I see glib little sociopathic weasels putting innocent people at risk so they can market their products (to those same people!) – it disgusts me. And it disgusts me when I see the media, government agencies, and big-name vendors playing the game.

Those are the short-term frustrations. There are longer-term ones, as well. One of my dad’s friends was a cardiologist and he used to periodically go on a rant that went like this: "90% of my patients come in and are overweight, out of shape, and drink too much, smoke, or snort cocaine. They tell me all this and I tell them they’re ripe for a heart attack. Then I tell them that they need to lose some weight, exercise, and take it a bit easier on their bodies – and they look at me like I’m crazy and ask ‘what’s Plan B’?"   

Well, that’s how I feel about security a lot of the time.  The problems we deal with are so stupid and so obvious – sometimes it makes me want to ask executives, "What are you, retarded?"  Even a Harvard MBA should be able to figure out that if you have copies of your data all over the place where anyone in the enterprise can get at them, it’s going to wind up on laptops and on the Internet.

So – I am frustrated and I am middle-aged (and then a little bit) – at a certain point I feel the long-term downside of speaking my mind will get less and less significant, so why not just let it all hang out?

2. You’re at Tenable Security as CSO now, what are you doing there and why?  You and Ron Gula make a great couple, but are you involved in any other security or technology ventures?

Well, originally, it was Ron and Renaud. Tenable was already cooking along on course before I got involved. I knew Ron from the NFR days because I used to compete with him when he was selling the (now Enterasys) Dragon IDS against us. My role at Tenable is to be a mix between class clown, consultant, and technical trainer – I teach our customers’ classes on how to use our products and feed back ideas and questions through Ron. It works pretty well. Best of all, the rest of the management team at Tenable are all highly technical geeks.

There’s no arguing about how to do the right thing with Venture Capitalists because we’re self-bootstrapped and suit-free. On the other hand, we’ll argue all day about which Linux distro is better – if you can pick and choose your battles, I’ll take technical debates about how many angels can fit on a USB thumb-drive over talking to MBAs any day.

I serve as an advisor to several security start-ups and have to be very careful to keep from getting at competitive cross-purposes. But I love the advisory role – you can look at where a product is going and say, "hey, it’d be nice if it did X, Y, Z" – and a few months later, it does. It’s like being an important customer without having to talk to sales guys! I make a point of actually pounding on products and getting as deep as I can, too.

For example, I am on an advisory board for a company called Fortify that makes a source-code security analyzer tool, and I grabbed the product and spent a week running some of my own code (and other popular open source products) through it. That kind of thing can be really fun!

3. You’ve recently started publishing your "Rear Guard" PodCast.  It’s quite entertaining and what some might describe as classic "Ranum."  What attracted you to PodCasting and do you see starting a Blog?

I got interested in podcasting because I have a real problem with writing – I’ll write an article and go over it again and again and again until I’m happy with it. Writing is like pulling teeth for me. Sometimes, such as the time I was stuck in Frankfurt airport with nothing to do for 36 hours and the only electrical outlet was in the beer-bar – then I get a lot of writing done in a burst. But it doesn’t come easy for me whereas speaking does. So I was listening to a few of my old audio recordings from conferences and thought, "Hey, I can get stuff out there really fast this way!"   Besides it’s a great way to play with tech toys like audio recorders and phone line-taps, etc!

Normally I am an instant nay-sayer about "the new thing" for its own sake but I think that podcasting is fascinating – essentially it’s completely liberated asynchronous radio. If that’s not fantastic, I don’t know what is! The barrier to entry is basically nonexistent – it’s so low there’s no need to worry about sponsorship or marketing crap to pay for it. It’s an environment where content truly is king: if your stuff is good, people will listen.

With respect to a blog – probably not. There are already great blogs out there and I don’t like the short note format. I prefer to write constructed arguments or tutorials; I just can’t whip out a couple paragraphs and let them go like some people can. Blogging tends to encourage a high volume of content. With my schedule and wildly varying energy/attention levels I can’t do more than an intermittent effort.

4. Are there any companies with emerging products or technology in the security space that you feel really "get it" and are doing the "right things" to move security ahead in the right direction?

I’d like to dodge that question, if I may. Otherwise I’ll sound like a marketing guy.

But the sad truth is that a lot of what I see out there is reinventing the wheel to varying degrees. The industry has reinvented antivirus and firewalls about ten times so far – of course it gets called something new and whizzbang each time. That’s inevitable (and uninteresting) because security is a moving target – someone is always getting new bright ideas like "let’s tunnel remote procedure calls over SSL by encoding them in XML" and the poor guys trying to secure it only have a limited set of techniques they can apply (content filtering, signatures, protocol analysis) and – of course – they’ll work as well as they always do.

There is cool stuff being done but I’d categorize it mostly as "solid new implementations of good old ideas."  There’s nothing wrong with that, either.

5. As one of the "founding fathers" of network security — from your firewall days to NFR and beyond — what advice do you have for the up and coming security "professionals"  who are going to have to deal with "securing" networks and assets in an already dynamic and hostile environment while serving the "Frappacino-YouTube-FaceBook-SecondLife-Tor-Twitter-I_Want_It_Now-AlwaysOn" generation who hack life?

Succinctly? "Get used to losing every battle you fight."

I actually get a fair number of Emails every month from people who are thinking about getting into information security. My old suggestion used to be to identify an interesting but not overly ambitious problem in the security space, make a decent attempt at making it less of a problem, and publish everything you can about what you did, why, and what you learned.

Thanks to the "bug of the minute" mindset we’re stuck in now, security has become an intellectual wasteland and the people who will be the next generation of stars will always be the ones who are solving problems (not creating them) and helping the poor outgunned IT specialist.

My new suggestion, when someone asks me about a career in security, is to reconsider the whole idea. In 10 years (probably less) security is going to re-collapse back into system administration and network administration.  Your security practitioner of the future is going to be the guy who clicks the "make it secure" button on the rack of Cisco gear – and he’ll have no idea what that button does. On the systems side, he’ll be the Windows system administrator who forklift-pushes Microsoft Security for Windows to all the desktops, enables it, and reboots them. That’ll be that.

Note: I am not saying it’ll actually be secure, or work, but that’s about the tolerance for security effort that will be left in most IT executives’ minds. And, of course, security will be reporting to lawyers. After all these years of short-sighted security experts saying, "What we need is legislation…" now we’ve got it.

And, as a consequence, security is going to be permanently in the "expense" column and it’ll be a legal mitigation/triage game played by executives and lawyers, with the security guy’s job consisting mostly of hovering over the system admin’s shoulder to make sure that they actually clicked the "on" button where it says "security."

So – I think security’s about to suffer a mental and financial heat-death. Frankly, we deserve it. If you look at what security has accomplished in the minds of most IT execs, during the last 10 years, it has been an endless stream of annoying bug-fixes. All the positive stuff is completely overwhelmed by the flood of mal-this and mal-that and the constant yammering for attention from the vulnerability pimps.

6. Bonus question.  Assuming I qualify the form factor to something that can be carried on your person, what’s your favorite weapon
?

That would have to be my custom-forged Bugei daisho that I commissioned in the early 1990’s. But if it was a situation involving more horizontal separation, I’d have to go with my Barrett model 95 with the 8-32x US Optics scope.

/mjr.