The Security Kitchen

Hi,

I’ve been unable to blog for a while now and for various reasons I am closing this place until further notice.

Yes, I’ll be back but don’t ask me when   I got my hands full with some speaking engagements, the Eurotrash podcast, prepping some other exciting stuff, my day job and family … I’ll be busy enough.

I hope to catch you all at a later point this year !

Take care & stay secure !

Wim

Every blog should touch on the recent announcement by Google that it has been under attack by Chinese entities, right ?

Here I am with my personal observations enjoy !

This is actually a good thing !

When Apache got hacked a few months ago, most comments were not about who,why and what but about the way Apache handled the attack.  In contrast of what we saw up until then in the corporate world, Apache reacted with openness, detailing what happened, why it happened and how they reacted to the situation.  Secretly, I was hoping that companies would look at this and learn from it.

Today we see a similar reaction by Google, Adobe, etc.  I can only cheer this on and hope that this type of reaction becomes the standard ! All stakeholders (shareholders, employees, partners, customers, …) benefit from openness as it does not leave room for speculation.

It’s just China, get over it.

It’s pretty funny to see that all of a sudden everybody seems to be an expert on China, Chinese culture and the Chinese hacker culture/economy in particular.  All of my in-laws are Chinese and I have spent a generous amount of time travelling through China.  The Chinese are, in general, pretty ordinary people, like you and me.  Generalizing and saying that “The Chinese” are up-to-no-good, PI stealing spies won’t help.  There’s plenty of cases where US corporations have spied on European corporations, and I don’t doubt most of them involved at least some computer manipulation. Let’s add to that the less than favorable reputation the US has build up by interpreting international law rather flexibly, and this discussion is mute.’

’0h my god’-day rather than 0-day

Several people have commented on the technicalities of “the hack”.  Andrew Jaquith wrote down his observations over at CSOOnline . Now I have to admit that Andrew is one of my favorite infosec people ever since he wrote his Security Metrics book, but I disgress …

Here’s what bothers me the most about that post :

Our most recent annual IT security survey, which we are busy analyzing, shows that “compliance” (big-C compliance like PCI and HIPAA, and little-C compliance with security policies) is the motor that drives security budgets in large corporations. Enterprises have gotten used to the idea that they need full-disk encryption and DLP to keep toxic customer and payment data from spilling.

Now, if you, as a company, fail to identify your business-critical information as important enough to implement sufficient controls to protect it from getting spilled at the first browser 0-day, you suck. It means that you have failed completely. If any security effort is dictated by compliance, aka a checklist that defines the minimum you should do, IT IS NOT ENOUGH ! Surveys, statistics, magic quadrants and waves won’t save your ass even on a sunny day. Don’t do what “everybody is doing”, do what is necessary to protect YOUR assets.

Relying on one browser is a liability.As we have seen, this attack succeeded because of flaws in Internet Explorer.
…
In this day and age, it is shameful that I still see many corporations (including Forrester) whose business processes rely on web page formats and ActiveX controls that chain them to a specific browser. It should not be that way. Enterprises should strive to deploy web-based applications that are browser-independent; when one browser is targeted, enterprises can mitigate their risk by switching.

The search engine for security vulnerabilities at securityfocus.com reports 6 pages of vulnerabilities for Firefox, in general, and 6 pages for IE starting at IE5 SP4. I could do extensive research, but call me lazy and it’s Saturday, I got a life. There isn’t a lot of difference between both browsers in terms of being more or less vulnerable. (I’ll do a survey though and maybe create a magic rectangle of sorts !)

What do you mean exactly by “when one browser is targeted, enterprises can mitigate their risk by switching.” ? Choosing a (new) browser for your corporate workstations isn’t something you do overnight, as a reaction to an 0-day being reported.  If I want to attack your infrastructure, I will find out what software you’re using and I’ll hit it until I find an exploit that I can use to bring you down.

When I have to protect an infrastructure, one of the first rules (in my very humble opinion) is standardization.  If you rule your infra like a sheriff in the wild west, allowing everybody to use whatever they want, you’re bound for disaster.  When standardizing you look for manageability.  In terms of manageability in a corporate environment, IE is your browser of choice. Why? Two reasons :

1. You can control settings through Group Policy Objects extensively.  You can basically decide what someone can or can’t do with the application from a central point.  This assumes you’re using Active Directory, but if you’re running IE … why aren’t you?
2. Updates come in through Windows Update, which you can centrally control as well.  You can approve and distribute updates to IE in one sweep with the updates for your workstation at no or minimal extra cost.

What I do see regularly is poorly and/or ad-hoc developed and often unsigned Active-X controls.  This has nothing to do with IE in itself.  If you’re a crappy developer or your company has shitty development processes and you let this type of BS through QA, it could just as well be your next Firefox plugin.  If you develop for a certain platform, you should take into account the risks related to that platform. I do agree with that.  “Switching” isn’t easy and it’s not a solution …

Humans remain the weak link.I spoke with a contact at an aerospace company who knew something about the Adobe PDF attacks. He was surprised that good old fashioned phishing attacks still work. “This kind of stuff is driving the defense contractors nuts. They should know better, and yet, they are still affected.” It bears repeating, one more time: attachments from strangers are bad. CISOs should dust off their social engineering playbooks and do some internal phishing testing on their employees to make sure their staffs get the message.

Andrew gives Adobe the get out of jail free card here because now suddenly it’s the user who’s at fault !! If you’re using IE you should switch to Firefox because, you know, Microsoft don’t know how to develop but if you’re using Adobe Reader, well, it’s your own fucking fault ! Fact of the matter is that unless you’ve been living under a rock, Adobe has shown neither responsible behaviour nor secure development skills in the past 12 months while Microsoft has consistently improved security in their development process and their behaviour in relation to serious vulnerabilities.

Let me spell this out : people click links just as people open attachments. If there is one resource we are not utilizing enough in our security efforts, it is the people who are using our infrastructure on a daily basis.  If your users are randomly opening attachments and clicking on links they shouldn’t be clicking on, the CISO should not dust of his social engineering playbook … He should be looking for new employment !

I think everybody remembers about 6 months ago some big names in the infosec community were put to shame when their sites got haxored by the “antisec” group, claiming they were on a mission to prove the whitehat community wrong.

Now, it seems like they got their ass handed to them by a group called “prosec” which made it their goal to take “antisec” down and boy did they succeed … the results of their work can be found and enjoyed here : http://pastebin.com/f12f6f9c0

If you thought zf05 was hilarious, wait until you read this epic stuff !

From what I read, it is what we all assumed : a group of lame-ass skiddies with nothing better to do than try and be something they are not on the intertubes. It could only last that long …

(

As I completely trashed my old iPod (sitting my fat ass on it during 10hrs of flight was more effective than I’d hoped…) I was on the lookout for a new one.  As I leaned towards a Touch and I didn’t want to spend a load of cash on it, my mind was set on the 8GB edition but in the past years I had subscribed to too many podcasts that I would ever be able to listen to. Additionally, they would use too much space (my old iPod was a 30GB classic).

As of now, this is my list of podcasts that I will regularly listen to (or watch) :

I’m aware that there are other podcasts out there and since I ended up with a 64GB Touch as the 32GB or 8GB weren’t available, I’ll add to the list soon.

If you have any suggestions, don’t hesitate to leave a comment.