Tuesday, August 7, 2012

The very four digits that Amazon considers unimportant...

"The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification..." Honan wrote.
Four digits, when combined with my home address and bank account number were all it took for me to gain on line access to a dormant checking account at my bank and enable fund transfers. If I were fond of the various auto-pay options, there would be a dozen or so companies that would have my checking account number, any pretty much anyone in the world can find out my home address (I own a house, so it's in various public records).

Segmenting ones on line life into non-overlapping buckets seems like the best way to break the daisy chain that led to the hack and data loss. I've followed that principle. I try to maintain separate, non-overlapping e-mail addresses and passwords for any on line account that either is connected to something that could cost me money if it were compromised, or is used for account verification for any of those accounts.

I have lots of e-mail accounts and addresses. It's a pain in the azz, and it's only a partial solution.

Read:  ARS, Wired

More thoughts here.

Friday, July 6, 2012

In MumbleWare versions 8.2 and below, the SA password must be set to propq


An e-mail from a vendor, somewhat anonymized:

From: ****
Sent: Wednesday, April 11, 2012 08:22 AM
To: ****
Subject: MumbleWare Case 123456789

     
Hello ****,
Thank you for contacting MumbleWare Product Support.  I am writing to you in reference to case number 123456789 regarding your request to change your SA password. In MumbleWare versions 8.2 and below, the SA password must be set to propq. If a different password is used, MumbleWare may not be able to communicate with the database and error messages will be generated. The attached KB article references the fact that the SA password must be set to propq in MumbleWare versions 8.2 and below. The second KB article lists the steps involved in moving from MumbleWare 8.2 to 8.3.   
It's only been a decade since we first asked  the obvious question "Can we change our SQL Server SA password without breaking your application".

I guess we finally can.

Saturday, May 12, 2012

A letter to our Apple Account Exec

A couple of days ago myself and a colleague of mine ran into our Apple account exec.  The conversation ended up in the security space, as is probably appropriate considering Apples recent performance in that area. Our account exec quickly followed up with a request for our contact information (good), a press-release style announcement on how much more secure Safari 5.1.7 was going to be (interesting), and a month old article on how to remove Flashback (amusing).

I figured he was missing the point of our conversation. Here's my reply:


Thursday, May 10, 2012 8:31 AM
***** -

The context of our conversation was really strategic, not tactical. The short term issue of a specific malware incident isn't important. (We knew about Flashback and how to remove it  shortly after it was discovered.)

What is an interesting discussion is Apple's strategic, corporate wide attitude towards enterprise desktop security and desktop management and the question of whether or not Apple, as a corporation, will step up to the plate with world class proactive and reactive management of the security of OS X when they are subjected to the same sort of focus from dedicated, highly capable attackers that MS has been subjected to the last decade or so.

The things on my radar:

 - Apple is consistently slow to patch compared to their peers. They were last to the plate with the latest Java fix. That's not a good sign.

 - Apple still asserts that they are 'more secure' than their peers, yet offers no specific technical backing for the assertions. That's not a good sign.

  - In past security performance, OS X has fared well compared to its peers. However it doesn't appear as though its performance is due to superiority in design or execution. OS X has fallen first and hardest at browser hacking contests over the last handful of years, an indication that there is no inherent superiority to OS X in either design or execution. Apples past performance is likely good because nobody bothered to attack them. That has/is/will change. Apples ability to manage itself when it is the target of the worlds best hackers is untested.

  - Apple fumbled badly when they did have a major incident (the delayed response and the number of patches that it took for them to clean up the last malware incident.) That's an indicator of immaturity in the general space of incident handling.

 - Apple insists on mixing routine bug fixes with security updates (today's patch, for example, is both security and bug fix). We prefer to be able to separate patches which are security only (we can rush them out) with patches that may affect the stability of existing applications (we can test them thoroughly). That's really a best practice across any system.

  - The short product support cycle of OS X. Apples peers provide security patches for operating systems that are quite old in comparison to Apple. An OS version that is not supported by the manufacturer with security updates for roughly 5 years after last customer ship is hard to manage in the enterprise space. Unless that changes, we'll have lots of unsupported, insecure OS X installs years from now, as support will have ended when the system is still in use.

  - I obviously don't have any inside knowledge of OS X browser or kernel, but the fact that I have to re-boot the kernel when updating the browser is an indicator that the browser is tightly coupled to the kernel (for good reason, no doubt) but  also is an indicator that any vulnerabilities in the browser have a fair chance of affecting the kernel. Recent browser-cracking competitions have shown that to be true, AFAIK.

 - A really dumb, brain dead mistake like the latest 'store passwords in the clear on when upgrading an encrypted file system' is an indicator of immature processes in Apples internal software development and deployment. If that happens more than once, not only will we have an indicator of immaturity, but we'll also have an indicator that Apple can't learn from its mistakes. (Adobe, for example, would be an example of a company that seems to make the same mistakes over & over again.)

Again - specific incidents are not really interesting unless I perceive them as indicators of larger, more persistent problems.
 
I have to close up my 11" Air home computer, buzz into work and light up my 11" Air work computer. ;-)

--Mike


I don't know if Apple is ten years behind Microsoft on desktop security or not. I'm pretty sure though, that there is nothing about OS X (or any other desktop operating system) that is inherently superior such that we can afford to ignore the fundamentals desktop security. This exploit, for example, is platform neutral.

Apple has joined the big leagues. We'll soon find out out well they play.

I'm also pretty sure that even if we do rigorously follow security best practices, we'll still be doing our banking from botted desktops.

If it can surf the Internet, it cannot be secured.

Tuesday, May 1, 2012

OT: A plan.

Aaron Smith posted this story about the kindness of an NYC cab driver. It's a good read, and it reminds me of something vaguely similar that happened to be a few decades ago.

I had just moved 400 miles from home to a small town in Minnesota near where my grandfathers sister had moved in the 1930's. He didn't get to see her very often, so when I moved near her farm he had an excuse to make the trip.

The house I bought needed a ton of work, my youngest brother needed an excuse to skip high school, my grandfather needed a ride to Minnesota, so I ended up with a couple hard working helpers once weekend or so per month. Good deal for me.

One weekend my grandfather insisted on coming out to Minnesota. He had just been out a few weeks earlier, I didn't need any help and my brother wasn't enthused about another road trip.

He insisted.

They made the trip.

While he was helping me strip wallpaper that weekend, I noticed that he was hitting the nitro pills pretty regularly. He'd had a heart attack about ten years earlier but all things considered appeared to be in fairly good condition. I asked him about the nitro but didn't get much of a response.

As he normally did, on that weekend he visited the sister that lived nearby.  On the way home though, he asked my brother to detour a couple hours out of the way to visit his other sister. That was new.

The day after he got home from the road trip he went outside and did the one thing that he'd not done since his heart attack.  He split wood - not with a powered splitter, but with an ax, the old fashioned way, just as he'd done from the time he was a kid up until his heart attack a decade ago

He died splitting that wood.

I'm pretty sure that he had a plan.

Sunday, April 15, 2012

Apple joins the big leagues

I've been hearing 'OS X is secure' for a decade now. For a decade, I've been challenging that assertion.

The challenges to that assertion generally end up with a response of  'because it's Unix' or 'because it's not Microsoft'. I don't recall 'OS X is secure' assertions being backed up by detailed explanations of anything in the kernel, operating system, development tools or coding practices that assures a higher level of security than competing operating systems, and I don't hold that a Unix history automatically ensures a more secure platform. My first forensic examinations were Unix, not Windows, and I can easily assert that the reason that we have more compromised Windows servers and desktops is because we have more Windows servers and desktops. 

Unfortunately the 'OS X is more secure' fantasy has left some (or many) with the impression that they don't need to practice safe computing on Macs. It is OK to run as admin. Anti-virus is not necessary. Drivebys are a Microsoft problem. In my opinion the smoke and mirrors surrounding 'OS X is secure'  have also lead to complacency on Apples part. They are not as aggressive at implementing security related operating system improvements (such as ASLR) or routine security patches, nor have they implemented really the really basic security controls that I implemented more than twenty years ago on our NetWare servers (remove the execute permission from directories that contain user data, remove the create/write permission from directories that contain executable code). With the latest attacks on OS X applications and with Apples apparent inability to defend its operating system against drive-by vulnerabilities in third party software, the 'OS X is secure' attitude should must change. A half million users can't be wrong, and those users will eventually move past their denial phase and expect Apple to step up to the plate.

Apple will have to up their game a bit on incident response, too. An urgent fix for a months-old vulnerability followed by a fast tracked effort to provide a malware removal tool, resulting in three updates in ten days, doesn't leave me with the impression that they have a well oiled response machine. Apple will feel heat that has been directed at Microsoft the last decade (and Unix systems before that.) Hopefully they will learn from their competitors and react to the new landscape better and faster than their peers did. 

Apple can't blame Sun either. The vulnerability of Java is well known (as are the vulnerabilities of Flash, Reader, Safari, Firefox…). Apple also has had plenty of opportunity to learn from their own mistakes, having repeatedly offered multiple versions of vulnerable desktop software to their customers.

I figure that it'd be pretty boring surfing the web with a platform that isn't exposed to drivebys and remote root exploits so I never really embraced OS X as my preferred home desktop. Now that OS X is playing in the big leagues I figure that it is sufficiently challenging for me to use it as my preferred desktop, and I went out and bought an 11" Air for my home computer.

Update 2012-05-11: Apple accidentally logs passwords in clear text. In football (soccer) that would be an "own goal". A major league fail. 

Thursday, March 29, 2012

Twenty percent of all households have at least one bot-infected computer

...and 5% of all enterprise 'assets' are infected.

From Gunter Ollmann, VP of Research at Damballa in this post on CircleID:
"...on average, between 3-7% of assets within enterprise networks are identified as being infected..."
"Within the ISP/Telco world that have chosen to deploy the Damballa CSP product, between 18-22% of unique subscriber IP addresses are actively seeking to connect to known C&C servers."
Ouch.

Note that this is bot-net infections only, not the broader category of computers infected with malware in general. 

When I first started securing systems a couple decades ago there were no external threats. We had Netware, IPX and Arcnet. The only path to a compromise of confidentiality or integrity originated on a keyboard withing the campus. There were no external threats. The threat to our systems was from the inside, and the risk from insiders was mitigated by the assumption that we'd be able to pin the actions initiated a keyboard inside our buildings to an individual and that the individual would know that the actions would be traceable. It wasn't foolproof - you routinely read about employees misappropriating employers funds - but as far as I know, it was a manageable problem.

Then we connected our wonderful safe little island to the Internet. It didn't take long to figure out that an action by an outsider, external to our island, was a threat to our systems. The solution? Firewalls, of course. If the outsider can't get in, we can focus on the threat from the inside where we know who is at the keyboard, where they know that we know, and where they know that detection and prosecution is a likely outcome.

Today? Unlike years ago, we cannot associate the actions of a keyboard with the individual sitting at the keyboard. This effectively means that what used to be external is now internal, and what has always been internal is now external. What used to be a fairly clear delineation between something that happened from the outside and something that happened internally is gone. We no longer can assert that we know who is at any particular keyboard, and tracing an event back to an internal keyboard doesn't permit us to presume that the action was initiated by a person internal to the organization.

The external threat is inside your enterprise.



Monday, March 26, 2012

Micrsoft and its partners seize servers...

Microsoft press release on their Zeus botnet server seizure:

"This disruption was made possible through a successful pleading before the U.S. District Court for the Eastern District of New York, which allowed Microsoft and its partners to conduct a coordinated seizure of command and control servers running some of the worst known Zeus botnets."

"As a part of the operation, on March 23, Microsoft and its co-plaintiffs, escorted by the U.S. Marshals, seized command and control servers in two hosting locations, Scranton, Pa., and Lombard, Ill., to seize and preserve valuable data and virtual evidence from the botnets for the case."

Emphasis is mine.

From the actual seizure order:

"There is good cause to believe that the Defendants have engaged in…Trademark Infringement, False Destination Origin, and Trademark Dilution…"

Emphasis is mine.

So if I'm reading this correctly, Microsoft seized the servers, not federal law enforcement. Individuals who work for a corporation, not law enforcement agents who report to elected officials, executed the seizure. A corporation has, with the permission of a court and while escorted by law enforcement, seized property using (amount other things) Trademark Infringement as a justification.

Kudus to Microsoft for taking bold action. A large corporation like Microsoft can put far more resources on something like this than law enforcement. (The best funded crime lab in my home state is at the home offices of a large nation wide retailer, not at a government facility.)

But we should stop and consider if we really want corporations leading a law enforcement actions.

Thursday, March 8, 2012

I thought I had this privacy thing figured out, but…

…maybe not.

I’m trying out the Collusion plugin for Firefox and the results are interesting. After a couple evenings of my normal surfing routine, the plugin looks like:

Collusion-Plugin

Yuk.

As expected, Google appears at or near the center of attraction.

Collusion-Google

I use the Google suite for anything related to my profession and I use Google’s competition for anything unrelated to my role as an IT professional. My theory is that as a public employee in Minnesota, pretty much everything I do professionally is public anyway, so I figure that there is no net loss to using the Google stack. Winking smile The Collusion plugin shows that I’m merging the two realms far more than I thought.

Also unexpected are several domains that I’ve never heard of, including something called imrworldwide:

Collusion-IMRworldwide

I have no idea who they are, but they know more about me than I’d like.

I use Adblock Plus and NoScript plugins and I accept third party cookies, but I clear all cookies each time I close Firefox (once every few weeks), so I’ve assumed that I’m less ‘connectable’ than the typical surfer.

It looks like I’m not as segmented as I thought. I’ve added ‘Antisocial’ and ‘Adversity’ block lists to Adblock Plus.

Thursday, February 16, 2012

Monday, January 30, 2012

Oracle Support portal: HTML 5 replaces Flash

Oracle Support is upgrading their web interface from Flash to HTML5. I’m happy. I no longer have to twiddle my thumbs waiting for Flash to load:

Oracle-Flash

That was really annoying.  The consolation prize was that the Flash UI was still two orders of magnitude faster than the call back from support on a Sev 1, so the Flash interface really didn’t affect MTTR.

My major complaints about the Flash interface were: 

Managing Flash plugins on critical data center servers & management infrastructure. Adobe simply has not been able to keep Flash from being exploited, so having to rely on an exploitable plugin for daily operations never made me comfortable. It is really nice to be able to gather data on an incident and upload it directly to Oracle but that meant that the database management infrastructure had to have Flash plugins along with the associated risk/cost of an exploitable plugin.

Slow and unreliable. When I log into the Flash based support site, I typically need to reload the Flash app at least once, usually at the 90% marker. The new HTML5 interface is faster than Flash and doesn’t hang on startup.

Not tab aware. What could be more natural than opening up multiple SRs at once, each in their own tab? How about being able to search & opening up each result in a separate tab? Or being able to put an SR and its associated bugs side by side? The Flash UI couldn’t handle more than one tab. It excelled at making every interaction with the interface strictly linear.

Unfortunately what’s out there today still isn’t tab-aware. In IE I don’t get a right-mouse menu at all and if I try opening up new tabs on Firefox, I end up with:

Oracle-403

However – if I’m viewing an SR and I right-click on the printer icon, I can display the SR in a standalone tab. That helps. I still can’t open up an SR alongside it’s associated bugs though.
I suspect that Oracles lead UI designers are constrained by strict linear thinking. It probably never occurs to them that a user might work on more than one problem at a time or that a user might want to view both SRs an bugs at the same time. Or maybe Oracle has a corporate policy that prohibits two-button mice and browsers with tabs.

FWIW - In the process of playing with tabs, I also ended up here:

Oracle-NullPointer

Amusing.

50 million Megaupload users…

… have data in danger of being erased.

From Daniel Wagner’s AP story, is looks like:

  • The Feds are done cloning servers. They have what they need. They don’t care.
  • Megaupload assets are frozen. They might care, but are helpless.
  • The hosting companies for Megaupload [Cogent|Carpathia] [don’t have access|can’t comment].

Presumably there are legitimate customers of Megaupload who stored stuff that did not stomp all over other peoples copyrights. If so, it sounds like those customers are screwed.

Update Feb 02 2012: Maybe not. Carpathia Hosting and the EFF are stepping up to the plate.

Sunday, January 29, 2012

Secret question fail

My credit union switched to a new service provider for online banking and bill paying. The good news is that they’ve chosen a service provider that has a fairly modern looking interface, unlike the 1990s interface of their old provider. Among other things, they no longer use a captcha as a security factor and they now require “the latest versions of Internet Explorer and Firefox […] SSL compliant with 128 bit encryption” instead of IE5 and Netscape 6.2.  I keep thinking that old interface was screen scraping TN3270 session in the background. The new interface at least gives the appearance of having been written this century.

They did not set the world on fire with their state of the art authentication though. As far as I can tell, they still think that a secret question is a second authentication factor, and they regressed significantly by prohibiting me from creating my own questions. I used to have a secret question like ‘Who is Z's5.'vYCf!.v/Zu31wkJYjR’ with an answer something like ‘y=t0FgZtH+CMPS-!tjLB_Cac’.

Now I’m stuck with:

Bank-questions

This is really unfortunate. Of the 20-odd questions, at least 11 of them are available via ordinary public record searches, searchable ancestry records or social networks, and some of the remaining questions have limited entropy. In my case, various relatives of mine have published enough family history that all of the ancestry related questions are unusable for identity verification. The selection of questions is really poor.

I certainly hope that the credit union customers are smarter than the service providers and take it upon themselves to compensate for the service providers incompetence by fabricating nonsensical answers to the questions.

I also hope my long gone grandfather isn’t too put off by my assertion that his occupation was ‘.oUDq9%Y^yP7dRJoM9TTSG’ .

Thursday, January 26, 2012

“We keep logs as far back, as long as we have had software to keep logs.”

If I’m reading this right, Symantec had a breech in 2006 but didn’t think that the breech was significant. After learning that older versions or their source code was stolen, they re-analyzed the 2006 event from 6 year old logs (!) and determined that the source was stolen during that incident.

The interesting bits:

Nobody that was involved at the 2006 breech is still at the company, but the logs still existed and were sufficiently detailed to reconstruct the event. That’s really impressive.

Presumably whomever stole the source could have been busy writing bots that were undetected by Symantec AV. I don’t know that to be the case, but it certainly is possible. Owning the source code for an AV product would certainly be a competitive advantage for a bot-maker.

Symantec’s advice to shut off pcAnywhere is interesting. I’s not the usual advice you get from companies with exploitable software. Oracle has never asked us to shut off their unbreakable databases.

It’s broken, shut it off.