Mirror's Edge

This sounds like a really cool game (warning: annoying flash and sound inside) with an intriguing plot:

"Once this city used to pulse with energy; dirty and dangerous, but alive and wonderful. Now it is something else. The changes came slowly at first. Most did not realize or did not care, and accepted them. They chose a comfortable life. Some didn't... they became our clients.

"In a city where information is heavily monitored, agile couriers called runners transport sensitive data away from prying eyes. In this seemingly utopian paradise, a crime has been committed, your sister has been framed and now you are being hunted."

And besides, that's a really freaking cool tat. Even if it is anime-ink. I wonder if the discovery to beat the game is realizing the effectiveness of hiding in plain sight. I doubt it. That would be a pretty crappy video game. It might make for a pretty sweet aspect, though. I'm not a huge gamer, but I do have myself an Xbox 360. I may have to check this out.

The game is an extreme example, but nevertheless a potent reminder that hiding data isn't always bad... a notion utterly lost on many in the general public. Any awareness is good awareness.

Solve the right problem with NAC

NAC is an important technology. It's neat. It's cool. But it's expensive. And, while many Cisco or networking zealots may argue to the contrary, it's not always necessary.

NAC prevents unauthorized computers from participating in a network. This is good for environments which your IT staff doesn't have control of, but need to permit a certain level of access to. VPN's, of course, are one of the most common examples. They also happen to be one of the simplest use cases for most administrators.

However, in corporate environments where assets are owned by the same entity that control the network, NAC shouldn't be a replacement for good software management. With a few notable exceptions, if you can implement NAC, you can typically implement good software management on your endpoints.

NAC is also not an appropriate binary access control mechanism in most cases. If the primary goal is to restrict network access to computers you own, this is a site security problem. Naturally, if you have contractors or customers who require access to your network, there is a role for NAC to play. The right answer here is to define your security requirements in general terms, articulating the decision point between an IT and physical security concern for each aspect.

Use NAC. But do it with a clear understanding of your goals, and apply it just like you would any other technology: where it's appropriate. IT solutions are slick, but they're not always the best option available.

Image from http://download.101com.com/wa-mcv/spo/images/april7/monitor.gif

Why the Obama-McCain Hack may be bigger than you think

A recent Newsweek article revealing that both US presidential campaigns were compromised by 'a foreign entity or source' is getting a lot of attention. The article ominously quotes the FBI: "You have a problem way bigger than what you understand." Boy aren't they kidding. Let me explain a parallel to you, since the correlation is far from obvious.

You have probably read news reports about defense-related data on unclassified networks being targeted by actors that seem to be abroad. Working professionals in the defense infosec industry understand the logic from the perspective of an adversary: target technology while it is being developed on unclassified networks, by necessity for collaboration, because once the military receives the technology it will be harder to get these details as some become classified or more closely held. There is asymmetry between information sourced at contractors (tends to be unclassified), versus the very same type of information sourced within the government (tends to be classified). This is one of the not-secret, but not-widely-known dirty little truths about our classification system.

Here, we see the same tactic with a wholly different kind of information. Policy decisions being made by the Obama and McCain camps during election season are likely to translate into official US Government policy once one of them is elected, at least insofar as election promises are upheld. Some of these details are likely going to be held close to the vest, and almost certainly classified. Naturally, while policies are under development in a not-yet-elected campaign office, they are unclassified with the custodians (campaign workers) unqualified or uninterested in protecting them - except possibly from the other candidate. This is a brilliant application of the same tactics available to adversaries for acquiring military technology, perfectly timed for the only period that such an attack may be successful in compromising the confidentiality of future policy stances. This parallel may have significant implications; specifically what depends on the viewpoint of the reader, but the alignment is no less than 'quite interesting.'

If there is a silver lining here, it's that Barak Obama's office now has a first-hand understanding of just how severely questions of information security and electronic espionage have the potential to impact national security. Let's hope they remember that when deciding on IT and government-wide security strategies for the next 4 years.

In Case of Vulnerability, Do Not Discard Brain

I saw this while reading Bruce Schneier's blog last night and felt it entirely appropriate to the recent reaction of the security community to flaws in major pieces of software.

First, there was Dan Kaminsky's DNS flaw. EVERYBODY PANIC! Not only was the community in an uproar about how this could be the end of the Internet as we know it, but adoration of Kaminsky was rampant, with some claiming he even changed the future of internet security by being the umteenth person to practice responsible disclosure. The flaw was serious. Swift reaction by administrators was in fact necessary to stymie widespread problems. But the panic induced and irrational aspects of the response are not much different than US citizens immediately surrendering their civil liberties post-9/11 somehow thinking this would prevent another terrorist attack. The one unusual example set by Dan Kaminsky was his rational approach to a serious vulnerability. That, my friends, is what is lacking in our community today.

Case in point: the most recent Microsoft RPC vulnerability and corresponding out-of-cycle patch: MS08-067. Should we be concerned about this? Absolutely. Does PoC code exist? Yes - and we know our Antivirus vendors won't detect it because they feel proof-of-concept code is insignificant rubbish. Oh, woe is the security analyst! Even the venerable SANS Internet Storm Center is in a tizzy:

It is expected that with the release of the update, much more of the hacker community will become aware of how to exploit this and create a major worm outbreak or botnet activity.

Look, a swift response is necessary, and for those responsible for software patching this is most certainly an all-hands-on-deck scenario. I maintain, though, that this is mostly a concern for home users. In light of the Nimdas, Code Reds, Slammers, and Blasters of the past, companies have built and honed their software patching infrastructure - especially with respect to Microsoft products. And once our Anti-Virus masters deem the proof-of-concept code "in the wild", when their job becomes easy, I'm sure we'll get detection for our AV products. Distribution of virus definitions is also a mostly-solved problem for the enterprise. The only folks who need to worry are those who work in environments where management has decided that these infrastructure components are not important, and therefore problems still exist despite a litany of products available to address them... and Mom and Dad, of course.

The security community needs to make sure the appropriate urgency is communicated to individuals responsible for infrastructure components, and keep their ear to the ground, but this is not a time for panic. Panic leads to irrational decision-making like slamming out patches without adequate testing on mission-critical systems, and reduced focus on sophisticated adversaries in favor of these more broad issues which, in the end, will most likely have a smaller impact in terms of net loss if handled with grace.

In case of vulnerability, do not discard brain.

Antivirus is failing; long live antivirus

From the most recent SANS Newsbites:

--Security Suite Vendors Question Secunia Study
(October 15, 2008)
Makers of antivirus products and security suites are calling into question the validity of a recent study from Secunia. The study tested a dozen security suites against "300 exploits targeting vulnerabilities in various high-end, high-profile programs" and found the highest scoring suite caught just 64 of the 300 exploits. Some of the companies whose products were tested say that just one aspect of their products was examined. Others whose products were not included called the study a publicity stunt.
http://www.darkreading.com/document.asp?doc_id=166027&f_src=drdaily
http://www.theregister.co.uk/2008/10/15/secunia_tests_backlash/
[Editor's Note (Skoudis): Designing a thorough and fair test regimen is quite difficult, and running the suite of tests against increasingly complex products is very time consuming and expensive. Matt Carpenter and I did this in 2007 for seven endpoint security products, and it consumed two months of our time. Whenever you see a test report of security products, make sure you look carefully at the description of the test methodology and testbed to determine what they measured and how. No test suite is perfect, but some better reflect operational environments than others.]

I took a look at Secunia's test methodology. They cover a broad range of exploits used by sophisticated adversaries in modern highly-targeted attacks. Their results for particular malicious files & attack types I've seen reflect my own experiences at a large enterprise CIRT, defending against highly-targeted attacks designed for the explicit purpose of compromising proprietary information. Not surprisingly, their resulting detection rate reflects my experiences as well. While the proportions used by Secunia may not have fairly reflected the universe of malware that's "in the wild" today, I don't care. There's no point in comparing detection rates for Blaster, Slammer, and other previously-solved problems. What I care about are the serious threats; the Malware that's being used against carefully-selected targets, that's working. The malware that only has to change by less than 5% (as measured by fuzzy hashing ala ssdeep) to evade detection by leading vendors. That's where the adversaries' foci is today, it's where we need anti-virus the most, and it's where anti-virus is failing us. Naturally, their conclusion is spot-on:

These results clearly show that the major security vendors do not focus on vulnerabilities. Instead, they have a much more traditional approach, which leaves their customers exposed to new malware exploiting vulnerabilities.

Kudos to Secunia for standing up to the industry.

Most of the anti-virus vendors are fighting hard to maintain a status quo which no longer reflects reality. If you'll recall, they lashed out against Skoudis and Carpenter when their tests led to similar conclusions about the state of the AV industry almost exactly a year ago. They're better off putting their resources into product engineering to address 21st century threats, than marketing and PR.

Airplane ephiphanies

I have the strangest epiphanies on airplanes. And I fly a lot for work. The convergence of these realities means I have many strange epiphanies that I need to sort through and figure out which are worthy of a second thought and which aren't. I wish I knew why - it must be something about the combination of the effects of altitude, boredom, the random musings of my iPod's "shuffle" feature, and the occasional overpriced adult beverage. But I digress...

My iPod randomly happened across Stevie Wonder's Sir Duke this evening, which naturally made me reminisce about how much I used to love his music. I went on to listen to his many other brilliant recordings I had. I then browsed around and found my purchase of Michael Jackson's Thriller, on the recent 25th anniversary of the release of the best-selling album of all time. I thought to myself how much I loved both of these artists back in the 80's, only to forsake them for nearly a decade as uncool or otherwise irrelevant to contemporary rock. Oh how I would've lamented my future had 21-year-old me seen 30-year-old me lip-singing Part-Time Lover with the zeal of a teenager on a flight to Las Vegas. But today I look at these artists, and their work, with a sense of greater perspective. Yes, there are cheesey elements to these songs that often relegate them to the bowels of dentists' offices, but the important components that made them great in the first place - the groove, the feel, that were all fresh and new then and now serve as the basis for so many other hit songs - those elements are still there and worthy of study. Listening again, I could only shake my head that I had ever thought that these important components had been overlooked by myself or others, and feel guilty for having let such a obviously timeless elements be forgotten, even if temporarily. But yet they were, and now the same thing is happening to music produced in the 90's.

Where could I possibly be going with this? On the eve of delivering a presentation that will call the classic incident response model 'irrelevant,' I see similar veins of amnesia in the security community. We started off with email viruses, and "evolved" to large-scale worms with the dawn of the new millennium. In 2003, if you had asked any one of us about a Word document with a macro that drops code, we would've laughed in your face at your ignorance and failure to evolve with the rest of the world. Yet that very mechanism is how malicious code is being delivered today, with adversaries exploiting the KISS principle like we never would've guessed. Email attachments that compromise systems - what could be more elegantly simple? The bad guys remember how Stevie Wonder's groove totally drove Superstition, or how the unique combination of rhythm and tambre absolutely set Michael Jackson's hits a whole level above anything else at the time. They know how to take these key elements and build new art with them. I've seen Macro viruses incredibly effective as recently as 2007, when married with highly-effective social engineering that convinces users to bypass mechanisms there to protect them from that very danger.

Today, many scoff at the Blaster and Slammer worms of 2001-2003 as bygones of a past era. They are no longer the key focus of our adversaries, and we must evolve along with them (make no mistake about it - the bad guys, not the good guys, drive this industry). But in our haste to move forward, we must remember the elemental components, the groove, of the internet worms of the past, or we'll be destined to suffer from them again.

Fostering the Multidisciplinary Analyst

In my years in information security, I've come to appreciate my liberal-arts undergraduate degree in ways I never thought I would. This has driven me to increasingly read up on ostensibly unrelated subjects in science and engineering. At the very least, it has been interesting. And at times, it has lent insight into new ways of solving problems that I otherwise would not have likely thought of. It's been this drive to broaden my technical horizons that has made me a huge fan of Scientific American over the past year. I've become an avid reader. If you don't have your own source of broader knowledge, I would encourage you strongly to find one. It has been the catalyst that has allowed me to take my career to that always-desired "next level."

On a related note, I have two specific recommendations. In the most recent SciAm (Vol 299, Num 4) Perspectives, editor Matt Collins writes Questions for Would-be Presidents. If you're planning on voting in the US this fall, which any responsible citizen should, this will be an interesting one-page read for you. Make no mistake about it, while issues of science are rarely if ever discussed in national media, the questions Matt poses are the type that will drive the country's innovation and inevitably determine our place the globe 10, 20, and 50 years from now.

The second recommendation I have is the entire Vol 299, Num 3. The featured articles in this issue focus on the area of security and privacy, and include the best single article on encryption I've ever read, How to Keep Secrets Safe, by Anna Lysyanskaya. I'm quoting liberally from it in a revision of an encryption class I teach at the company I work for, and I'm certain that anyone finding this blog of interest will enjoy it.