Skip to main content

Posts

Showing posts from March, 2009

When Software Vendors Make Security Assumptions

Bob recently ran into a situation where in order to run a vendor provided tool, he had to either modify his security practices or spend a bunch of time working around the poor tool design. The synopsis of his problem:
"Problem with that, though, is that it wants to log in as root. All the documentation says to have it log in as root. But on my hosts nobody logs in as root, unless there’s some big crisis happening." This wasn't a crisis.

This seems to be a common problem. We've had a fair number of situations where a vendor assumed that remote login as root was possible, that there were no firewalls anywhere, that all systems of the same platform had the same credentials, and that unsafe practices are generally followed.

Examples:
Really expensive enterprise backup software that assumed that there were no firewalls anywhere. The vendor advised us that technical support couldn't help us if the customer was firewalled. (This was a while ago, but the product still requ…

Continuous Deployment – the Debate

Apparently, IMVU is rolling out fifty deployments a day. Continuous deployment at its finest, perhaps.

Michael Bolton at Developsense decided to look at what they are deploying. He found a couple dozen bugs in about as many minutes and concluded:
...there's such a strong fetish for the technology—the automated deployment—that what is being deployed is incidental to the conversation. Yes, folks, you can deploy 50 times a day. If you don't care about the quality of what you're deploying, you can meet any other requirement, to paraphrase Jerry Weinberg. If you're willing to settle for a system that looks like this and accept the risk of the Black Swan that manifests as a privacy or security or database-lclearing problem, you really don't need testers.On the surface, it seems that the easier it is to deploy, the less time you'll spend on the quality of what you deploy. If a deploy is cheap, there is no reason to test. Just deploy. If the customers don't like it …

When Security Devices are Exploitable…

I can't resist connecting this bit of info from  Security and Attack Surfaces of Modern Applications (Via Gunnar Peterson)So, today’s Firewall is:A Multi-Protocol parsing engine Written in C Running in Kernel space Allowed full corporate network access Holding cryptographic key material …and still considered a security device?With Stealth Router-based Botnet Discovered (via Cybersec)....the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems.When security devices are exploitable…

Killbits for Users?

I read with great interest recent information on the Windows 7 release candidate. Based on the above article and the comment shown below, I’d like to see a couple more features added to Windows 7 prior to RTM.My requests:A Killbits like feature that disables the ! and ? keys upon multiple successive applications. Elimination of the Caps Lock key functionality. Both would be small but important steps in the evolution of the Internet.

If the patch isn't installed, it doesn't count

From: The Great Browser Security Debate post at the MX Logic security blog:
"At the end of the day, the level of security of any application installed on our computer is a combination of the vendor's ability to release timely updates to address new security issues, and the user's ability/willingness to install those updates. The discussion about application security is completely irrelevant if user's do not install the updates that the vendor provides."That pretty much sums it up.

An ERP Database Conversion

We just finished a major ERP database conversion.The conversion consisted of the following major tasks.Migrate a decade of data from 35 RDB databases into a single Oracle 10G database. Move from an ‘all-in-one’ design where database, batch and middleware for a customer are all on one server to a single dedicated database server for all customers with separate middleware servers. Merge duplicate person records from all databases into a single person record in the new database. Point thousands of existing batch, three tier client-server, business logic services and J2EE web services to the new database. Maintain continuous downstream replication to reporting databases. ReplicationJCC Logminer was used to replicate 600 or so tables from each of the 35 production RDB databases to a merged schema in the new Oracle ERP database. Oracle Streams was used to replicate from the ERP database to a reporting database. The replication was 35 databases into 1 database into 1 database. JCC Logmi…

Securing Real Things

Here’s a podcast worth a listen. Brian Contos @ Imperva interviews Joseph Weiss on the topic of control system security.Quotes:"Running the operational systems comes before any security requirements." "Power [industry] does not take this seriously" "Are we more secure [than 10 years ago]? No." Notes:Systems that run Windows 95 and NT 4.0 even after the upgrades. Can't patch them without breaking them. Custom written TCP stacks that crash when you ping them. Field devices with built in bluetooth or wireless modems Bolted-on security. Very old platforms, not designed with security in mind. Two cyber incidents on systems with brand new control systems. Very significant equipment damage. Significant environmental discharge. Three deaths.I have no particular knowledge of this general topic, other than a couple decades ago I made a living programming CNC machine tools, wrote a textbook on the topic, and occasionally played with PLC's. Oh - and I tried t…

Firewall Rule (Mis)management

The ISSA released an interesting study on Firewall rule (mis)management[1].
Among their conclusions are:Firewall have gotten more complex over time Firewall administrators routinely make errors Firewall administrators are not following best practices Firewall training materials do not focus management practices This shouldn’t be surprising. Firewall management is clearly an error prone process. The problem is that the error detection is inherently biased in the wrong direction. If the error results in to few firewall openings, some application or process will be broke, someone will notice and start yelling, and the error will get corrected. If the firewall has too many openings, nothing will be broke, nobody will yell, and error can only be detected and corrected by painful audits and mind-numbing configuration checking. In other words the only self-correcting errors are the ones that result in less security. The result:The natural drift over time will always be towards less securityCo…

Broken Windows – System Administration and Security

A recent study confirms that the ‘Broken Windows’[1] crime theory might be valid. As reported in the Boston Globe:“It is seen as strong scientific evidence that the long-debated "broken windows" theory really works—that disorderly conditions breed bad behavior, and that fixing them can help prevent crime”[2]Does the theory also apply to system administration, security, servers, networks and firewalls? How about application code?I grew up knowing that you always cleaned and washed your car before you took it to the mechanic. Why? Because if the mechanic saw that you had a neat, well kept car, he’d do a better job of fixing it. I’ve seen that in other places, like when you visit someone with a neat house versus a messy house, or hang out in a messy, smoky bar with cigarette butts and peanut shells on the floor, or a gated community versus a slum. Let’s assume that it’s simply part of human nature.Quoted in the Boston Globe article:""One of the implications certainly …

Cafe Crack – Instant Man in the Middle

Things like this[1] make me wonder how we’ll even get some semblance of sanity over the security and identity protection of mobile users.
Cafe Crack, provides a platform built from open source software for deploying rogue access points and sophisticated Man-in-the-Middle attacks. They make it look easy:
Using only a laptop, the attacker can sit unassumingly in a public location to steal personal information. Perhaps the most alarming aspect of this demonstration is that it was accomplished with only a laptop and existing open-source software. I knew it could be done, but I thought it was harder than that.
There are things that corporations can do, like spin up VPN’s:
However, the good news is that it is just as easy to protect oneself against Man-in-the-Middle attacks on an unsecure wireless connection. By using DNSSEC or VPN services, the user can bypass the attacker and keep their information secure. But for ordinary users?
In the end, it is up to the user to be knowledgeable and saf…