Cyber-Security Plan: “Strategery” Part Deux

Posted in Government on June 1, 2009 by Matthew Flick

A couple months ago I wrote a quick blog on President Obama’s initial outline for protecting the nation’s homeland security… well, this past Friday he released his cybersecurity plan to the general public.  In all honesty, there aren’t any big surprises and it seems inline with the recommendations put forth by the Center for Strategic and Internal Studies (CSIS) cybersecurity commission released in December.

For the most part, the media and industry pundits find President Obama’s plan to be on-target and favorable. He is determined to have a more joint effort (Public and Private organizations) to “deter, prevent, detect and defend” against cyber attacks. He was clear he does not want the federal government to be able to regularly monitor “private-sector networks” and believes that the Internet has become the backbone of American communications. The plan is to have cybersecurity leadership to be working closely to him in the White House and it appears that the appointed cyber czar will have the coordinating authority over the Pentagon, National Security Agency, Department of Homeland Security and etc.

An interesting observation regarding President Obama’s strategy over the Bush administration is his plan to have his approach distributed to the public and to companies that are most vulnerable to cyber attack. The previous administration’s strategy/policy was entirely classified. Obviously, if it’s important and requires everyone’s help, you need to get everyone on the same page. You can only do it if there is a national plan and everyone knows about it.

Again, President Obama is making cybersecurity is a top priority and has made good on those campaign pledges… Who wouldathunkit, the President makes a promise and keeps it. If only all of our government leaders were like that ;)

Leave A Comment »

Cross Site Scripting Anonymous Browser (XAB) Proof-of-Concept Released

Posted in Application Security, Black Hat with tags , , on May 19, 2009 by Matthew Flick

Today I finally found the time to release the XAB Proof-of-Concept code. An apology to those of you who have been emailing us wondering when we would publish it.

We’ve decided on Sourceforge and you can download the code from the XAB project page located at:

We’ve submitted talks to Black Hat and Defcon for the updates we’re working on, so hopefully we’ll have the chance to catch everyone up…solicit some more feedback…and grab a brew. Or two…

Leave A Comment »

Free Antivirus!

Posted in Cloud Computing, Malware, SAAS with tags on May 4, 2009 by Tim

With the current state of the economy, budgets across organizations are being slashed and the IT/Security department budgets are no different. As a result, organizations are looking at ways to reduce their costs, yet remain or still try to become compliant with numerous regulatory mandates. So, what organization would not want to have free antivirus? Now, what if I threw in a smaller footprint and a reduced load on system resources than traditional antivirus applications? Snake Oil? Silver Bullet?

Last week, Panda Security announced the public beta release of their free cloud-based antivirus “thin-client” solution. Panda has stated that this solution will result in 50-percent less impact on PC performance when compared to fat-client signature-based antivirus programs. While this product is more intended for the home-user, several other services and products intended for commercial and government organizations exist. As such, one must look at the implications of moving security operations into the cloud before introducing them into the enterprise.

Cloud computing offers reduced hardware costs by moving hardware and administrative duties off-site. But as a side effect, your organization’s sensitive information is accessed and may be stored off-site. In this entry, I am not going to go through every question you should ask your cloud-services provider. However, before you start using these services, you should ensure the third-party address the following high-level issues that meet or exceed your own requirements:

  • Data storage
  • Data access methods
  • Physical security
  • Access control

Leave A Comment »

Black Hat DC 2009 Reception

Posted in Black Hat, Conferences, Events with tags , , on February 18, 2009 by Tim

We’ll be hosting an informal reception tomorrow, Thursday, February 19, at Bailey’s Pub & Grille in Crystal City to celebrate Matt’s Black Hat DC presentation. No need to RSVP, but make sure you introduce yourself to Matt early to get in on the swag. The drinks will start flowing at 6 PM and we’ll be around until at least 7:30 PM.

Leave A Comment »

Support for President Obama’s cybersecurity “strategery”

Posted in Government on February 4, 2009 by Matthew Flick

Last week, Tim shared his views on the new plotline of the popular TV show 24 and expressed his hopes for President Obama’s cybersecurity strategy.  Had he checked his email before posting his blog, he would have seen my email that the administration released an outline for protecting the nation’s homeland security. We need to work on our timing!

President Obama’s initial strategy includes a six-step approach on “Protecting Our Information Networks.” It states the administration (while working with private industry, the research community and our citizens) will:

  • Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
  • Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.
  • Protect the IT Infrastructure That Keeps America’s Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.
  • Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation’s trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.
  • Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.
  • Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.

Surprisingly, this plan closely resembles the recommendations suggested by a commission of computer security experts one month earlier in December, 2008. The Center for Strategic and International Studies (CSIS) Commission on Cyber Security for the 44th Presidency released a 94-page report urging the incoming administration to improve cybersecurity by changing the way the federal government operates and by building better collaboration across organizational boundaries.  One of the specific recommendations included having an executive in the White House responsible for cybercrime coordination rather than having it fall under the Department of Homeland Security. I think most folks would agree that President Obama and his administration using the Commission’s recommendations as part of his strategy is ideal, but with the struggling economy, one hopes there will be enough money and resources to see at least some of them implemented.

President Obama has continued to state cybersecurity is a top priority and so far has made good on those campaign promises from last year. We can only hope the eventual implementation more closely resembles this strategy than the ’24′ all-powerful CIP firewall.

Leave A Comment »

Black Hat DC 2009 Presentation

Posted in Application Security, Conferences on January 28, 2009 by Matthew Flick

My abstract for this year’s Black Hat DC was picked up. I’ll be presenting the XSS Anonymous Browser tool, or XAB for short. I’m currently hammering out some of the more technical aspects of the tool, but I’ll have a working proof of concept ready for the conference. Plus if there’s time (who am I kidding?), I’ll release a second tool that is a great defense against the attack vectors that XAB utilizes. You can read more about the XAB tool presentation at the Black Hat DC 2009 Speakers Briefings page,

http://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Flick

For those of you in the Tampa area, I will be presenting the same tool at the OWASP Tampa meeting on February 18. You can check out the Tampa Chapter’s page here,

https://www.owasp.org/index.php/Tampa

I hope to see you at either or both presentations and SafeSurfing…

Leave A Comment »

Who needs defense in depth when you have a CIP firewall?

Posted in Government with tags , , on January 25, 2009 by Tim

For this avid 24 watcher, this season has been hard to watch. Granted, 24 has always pushed the envelope of “believability,” but this season may just force me to succumb to my wife’s Monday night addiction to John & Kate Plus 8.

For those of you who aren’t following the show, basically the US government has a “mother” firewall that protects all of its networks, including the FAA and every public utility. (The official CIP page is located here.) The bad guys have developed a hardware appliance that can bypass the firewall and give them access to any of the networks it protects. (Apparently this hardware appliance has a tendency to overheat, but don’t worry the designer figured out how to fix that! Phew!)

With the bad guys possessing such a powerful piece of technology , the US’ foreign policy is being threatened. I’ll completely ignore the fact that I know that all of these networks are not connected and believe that the clandestine services can’t determine source IP addresses. Then I’ll suspend reality even more, and believe that there is such a “mother” firewall and that the bad guys can do whatever they please to the protected networks.

So…What can we do? Do we have to yield to the demands of the bad guys? Apparently so…

So it’s obvious that I am on a rant, but what irks me the most about this year’s plot is that the President in the show actually stated a viable solution. She said something to the affect of “Isn’t it just technology? Can’t we just unplug it?”

Yes, just unplug it. That’s my recommendation. Weighing the threat of US casualties or succumbing to the demands of terrorists versus down time of the CIP firewall, I would opt with unplugging the brilliant idea known as the CIP firewall.

It’s obvious how frustrated I am with this year’s plot. But hey, if this situation mimics reality, I would hope that Obama’s new Cyber-Security czar would look for both technical and non-technical solutions to such a problem. If not, looks like there may be a lot of money to be made in educating the US government on concepts their own agencies developed.

2 Comments »

Holes in Your Security Christmas Stockings

Posted in PCI, Penetration Testing, Vulnerability Assessment with tags , , , , , , , , , , on December 31, 2008 by Tim

Over the Holiday season, I tended to my family’s computers for their annual check-up. As usual, I initially checked which Microsoft security updates were not installed. While their computers are configured to download and install Microsoft security updates automatically, several updates usually require manual interaction to install. After the Microsoft security updates were installed, I began the daunting task of installing the non-Microsoft application security updates and upgrades that have accumulated over the course of the year.

Similarly, most organizations have setup Windows Server Update Services (WSUS) or Systems Management Server (SMS) to apply Microsoft security updates. However, most organizations still have not implemented an enterprise-wide solution for applying security patches to non-Microsoft applications. Applications such as Adobe’s Acrobat and Flash or Sun’s Java Runtime Environment are often installed as part of a base laptop image or installed by employees at a later time. While their providers often release security updates, these applications remain at the current patch level as when they were installed. As a result, organizations remain extremely vulnerable from these non-Microsoft applications. For example, on December 5, 2008, US-CERT released an advisory (US-CERT Advisory TA08-340A) concerning security vulnerabilities that could allow an attacker to obtain complete control of systems running vulnerable versions of Sun’s Java Runtime Environment.

I am not recommending organizations abandon non-Microsoft products and would encourage organizations to evaluate the alternatives. The current problem is that non-Microsoft applications are often over-looked and the emphasis in patch management is on Microsoft products.
Several enterprise solutions exist to apply patches to non-Microsoft applications. Similar to Microsoft’s WSUS and SMS, these products are not perfect and have their own flaws. In order to implement an effective solution, the following best-practices practices should be followed:

• Identify the applications that have valid business requirements

• Restrict users from installing other applications

• Implement an enterprise-wide solution that controls applying security patches to non-Microsoft applications

As Microsoft attempts to create more secure products, hackers are crafting malware to specifically exploit non-Microsoft products. For example, a Trojan masquerading as a plugin for Mozilla’s Firefox web browser was recently identified (http://www.bitdefender.co.uk/ – Firefox Trojan). The non-Microsoft application security patches have been overlooked for many years and should become a major initiative of organizations.

Leave A Comment »

The New PCI 6.6

Posted in Application Security, PCI with tags , , , , on November 20, 2008 by Matthew Flick

All Your Public facing Web Apps Are Relevant To Us

I’m going to start off this post with the moral of the story: Good intentions often have bad, unintended consequences. The following is the ‘Testing Procedures’ text of requirement 6.6 from the new PCI DSS v1.2 (source: https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html):

For public-facing web applications, ensure that either one of the following methods are in place as follows:

• Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:

– At least annually
After any changes
By an organization that specializes in application security
That all vulnerabilities are corrected
That the application is re-evaluated after the corrections

Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.

    Note that for ease of reading I’m going to shorten “PCI DSS v1.2 Requirement 6.6” to just “PCI 6.6” since nearly everyone already refers to it as such.

    Without further clarification, this requirement now compels an organization that stores, processes, or transmits cardholder data (“CHD”) to apply PCI 6.6 to all of their “web applications” that are publicly accessible, regardless of whether the applications participate in the storage, processing, or transmission of CHD. We must assume also that this requirement will be applicable regardless of other security controls as well, such as network segmentation. Disregarding all other changes to the PCI DSS, this one requirement could significantly increase the level of effort and cost of PCI assessments.

    Before I get into advice for dealing with the new requirement, let’s examine the two options in relation to the change. First option is to have an application security organization perform security testing on the applications, correct identified vulnerabilities, re-test and repeat if necessary. Furthermore, such testing must occur “at least annually”, which should not be a huge problem…and “after any changes”, which could very easily force an organization to simply stop making any changes to its web applications. Unintended consequences.

    The second option seems rather simple, straightforward, and innocuous unless you have actual experience with web application firewalls (“WAFs”). At a high level, WAFs have two basic modes of defense: 1. Blacklisting attack strings, typically pushed down by the vendor like anti-virus signature updates, and 2. Custom rule checking, which requires training the WAF to understand more of the application it is protecting. Both modes can often lead to false positives; the second and more effective mode requires a lot of human interaction throughout the system’s lifecycle. Add to the mix the large price tag for commercial WAFs and the new requirement that requires protection for all public facing web applications, and what you likely end up with is an organization implementing an easily defeated blacklist of your standard attack strings (XSS, SQL injection, etc). Unintended consequences

    I do not want to be accused of PCI hate speech. In fact, I would like to sincerely applaud their efforts in helping to drive application security education and strongly encouraging organizations to address the problems. My concern, though, is that the more stringent the requirements become, the more likely organizations will continue (or begin) to do only the bare minimum in order to “check the box” instead of fixing the root cause of the problem. This is similar to the problem of progressively raising taxes: the higher the tax rate climbs, the more people will invest to identify loopholes, legal or otherwise. Or, in Star Wars terms, “The more you tighten your grip, Tarkin, the more star systems will slip through your fingers.” –Princess Leia

    With this information in mind, we now come to the issue of how to approach PCI 6.6. I’m going to suggest the most pragmatic approach that should work for most or all organizations, or at least those organizations that must endure PCI DSS assessments. In step-by-step format, naturally:

    1. Classify applications – Separate all public facing web applications into a grid by user type (e.g. internal users only, external users only, mixed) and data sensitivity (e.g. CHD, public, internal/corporate, internal/sensitive).
    2. Shorten list – If possible, move all web applications with internal users only to the internal network and provide external access via VPN. This should be an obvious move and something that should have been done well before PCI 6.6, but you might be surprised how often I see this situation.
    3. Create assessment plan – First determine the budget for performing automated runtime vulnerability scans (the “cheap” option) against all remaining public facing web applications. Then the remaining budget—if any—can be reserved to add more effective assessment tasks to the most relevant applications, obviously starting with those that store, process, or transmit CHD.

    As a general rule, I suggest using the results of a vulnerability scan/assessment against one application to identify and remediate potential weaknesses in other applications that either use the same codebase or were developed in similar fashion. This approach should lessen the number of findings in subsequent tests.

    If all the advice in this post seemed familiar or common sense, then congratulations…you’ve been paying attention! The security industry has been evangelizing a risk-based approach for a long time now. Or at least some of us in the industry have been.

    Leave A Comment »

    Nmap’s New Math? 9 = 8 but does 3,674 = 65,536?

    Posted in Penetration Testing, Vulnerability Assessment with tags , , , , on November 13, 2008 by Tim

    Fyodor’s inclusion of the results from the Top Ports Project into the latest version (4.76) of Nmap is a welcome addition to information security professionals who need to perform port scans of large networks in short periods of time. **cough*** Consulting Firms ***cough**

    However, the claim that using the “–top-ports” switch to scan only the top 3,674 TCP ports is 100% effective opens the door for yet another false sense of security. I wholeheartedly believe that it was NOT Fyodor’s intention for organizations to rely solely on port scans using this configuration to determine which ports are open. However, it does not require a leap of faith to believe that some less “offensive minded” security professionals will now use this configuration to get a “complete picture” of their networks.

    Why is this a problem? If you are reading this blog, you probably already know where I am going with this. It doesn’t require another leap of faith to believe that an attacker or offensive minded individual would examine the “Top Ports” list and code their malware or configure their tools to operate on ports that are not included in the list. The result? Those who subscribe to this complete picture mentality will not discover the open ports.

    So how do we effectively leverage the hard work of the Top Ports Project? I’m not entirely sure yet. Perhaps we use the “–top-ports” switch to perform differential scans and continue to use “-p-” to perform baseline scans? Or maybe we use the “–top-ports” switch to perform discovery scans and “-p-” to perform enumeration?

    I do know that the information that has been provided as a result of the Top Ports Project is valuable. How do you think we can effectively use this information?

    Leave A Comment »

    « Older Entries
    Newer Entries »