Tuesday, November 06, 2007

More Unpredictable Intruders

Search my blog for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term unpredictable and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results describe discussions of one of my three security principles, namely

Many intruders are unpredictable.

Two posts by pdp perfectly demonstrate this:

How many of you who are not security researchers even knew that data: or jar: protocols existed? (It's rhetorical, no need to answer in a comment.) Do you think your silver bullet security product knows about it? How about your users or developers?

No, this is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r case where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time you learn of a feature in a product is in a description of how to attack it. This is why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "ahead of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat" slogan at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 left is a pile of garbage. This is anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r example of Attacker 3.0 exploiting features devised by Developer 2.5 while Security 1.0 is still thinking about how great it is no big worms have hit since 2005. (The specific cases here are worse than Developer 2.5, since jar: and data: protocols are apparently old!)

How do I propose handling issues like this? As always, NSM is helpful. If you've been keeping track of what happens in your enterprise, you can perform some retrospective network analysis (RNA) to see if you've seen this latest attack vector. (RNA is a term which Network Instruments would like to have coined. I like it, even though cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept of recording traffic in this manner dates back to Todd Heberlein's original Network Security Monitor in 1988. The first mention I can quickly find is in this 1997 paper Netanalyzer: A retrospective network analysis tool.)

RNA and, from this point of enlightenment, ongoing network analysis via NSM and, ideally, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r forms of instrumentation (logs, etc.) facilitates impact assessment. Who cares if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sky is falling somewhere else, as reported in whatever online news story -- is your sky falling? If yes, what's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 damage? How best can we mitigate and recover? These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of questions one can answer when some data is available, enabling management by fact and avoiding management by belief.

11 comments:

dre said...

How many of you who are not security researchers even knew that data: or jar: protocols existed? Do you think your silver bullet security product knows about it? How about your users or developers?

What concerns me most is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Firefox developers and security team did not know about it.

In Web-Centric Short-Term Incident Containment you mention netsed, Whitetrash, and Palo Alto Networks. Trusteer.com and similar technology will start to become available to solve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se client-side issues before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 big browsers think about re-working cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir issues (special note: requires starting from scratch).

I recently saw Jay Beale present at Toorcon 9 on Their Hacking our Clients. The presentation is worth a read. In his last slide, he speaks to a possible solution using "client-side IPS/NAC".

Of course, Beale, WhiteTrash, and Trusteer are just scratching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 surface of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem here - adding more "icing" and less "baked-in" security.

The truth, if you can handle it - is that only links can be assured to any level of realistic security for browsing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet (from a restricted shell, of course) - even with all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 protections mentioned earlier. You won't see URI abuse issues in code that precludes that functionality.

If we really want to consider Javascript to be "safe" enough for regular browsing, we should follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advice from Tim Brown as mentioned in this article from gnucitizen on xss worms and mitigations controls.

Do I often browse with Firefox using NoScript, CookieSafe, and LocalRodeo? Yes, but really it's not good enough as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se sorts of findings demonstrate. Can I detect attacks given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best-of-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-best in RNA or NSM (note: I do have FireKeeper installed)?

It's my opinion that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detection paradigm will not work... it certainly doesn't work for spam. Isn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technology (regex, parsers, etc) in spam filtration cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same in IDS/IPS? Actually, no, IDS/IPS requires a hell of a lot more complexity, more protocol support, etc - making it even less reliable!

People in charge of building software need to stop development and implement cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ideas available in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent DJB paper. Larger projects will need to look at formalizing requirements, abuse cases, and taking on risk-based security testing techniques.

To this end, I recently had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pleasure of attending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VERIFY 2007 conference in DC, where I saw Sean Barnum of Cigital speak about Leveraging Attack Patterns for Software Security Testing where he presented all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current research from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CAPEC project at MITRE. I urge people to read his presentations available here.

I also had a chance to speak with Brenda Larcom (founding member of Octotrike) regarding her presentation on Privilege-Centric Security Analysis given at Toorcon 9 in San Diego. A good explanation of her recent presentation is available here.

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 largest problems preventing popularity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se approaches (Larcom, Barnum, CAPEC, et al) may possibly be related to terminology. "Privilege-centric", "risk-modeling", "risk-based security testing", "attack-modeling" and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Microsoft favorite, "threat-modeling" (which Sean Barnum explains is really a part of Architectural Risk Analysis as explained in that document) - all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se terms tend to muddle up and confuse cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry.

Richard Bejtlich said...

Hi dre,

You said

"Can I detect attacks given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best-of-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-best in RNA or NSM (note: I do have FireKeeper installed)?

It's my opinion that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detection paradigm will not work... it certainly doesn't work for spam. Isn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technology (regex, parsers, etc) in spam filtration cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same in IDS/IPS? Actually, no, IDS/IPS requires a hell of a lot more complexity, more protocol support, etc - making it even less reliable!"

I am not proposing that detection is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer to this problem. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, I propose visibility as a means to see if you are affected by it. If at some point we realize that a class of activity is so opaque that it is not possible to see it in action, that should be a big indicator that it's a problem. It's an application of my "building visibility in" idea.

Richard Bejtlich said...

Dre, I forgot to say that was a really good post -- lots of good ideas and references.

Steven Andrés said...

Excellent post, Richard (and Dre). It was one of those sipping-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-coffee-spitting-onto-keyboard moments when I read your post about jar and data protocols. "WHAAAAAT??"

dre said...

Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, I propose visibility as a means to see if you are affected by it

@Richard: You have a really good point here - visibility can really help to learn how real-world attacks work, as well as to sometimes identify unknown attacks.

I'm not sure that visibility requires a hefty investment in infrastructure to do this, however. In my mind - you don't need line-rate packet capture devices with taps on every upstream hard-wired Ecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rnet port and AirDefense at every corner of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 office. You can simply take samples of traffic using tcpdump or Wireshark from cheap mirror ports. Add some old laptops with AirPcap and rpcapd.

For attacks of this nature - I would racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r just simply note how your organization is affected by it (a proof of concept in a lab should be able to demonstrate this). If everyone running Firefox (35% of your organization) is vulnerable - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n some sort of scheduled protection should go into place if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software-provider does not plan on providing a patch/upgrade.

I prefer an actionable prevention plan vs. a "sit-and-wait" detection approach.

Richard Bejtlich said...

dre,

Visibility, like "security," is cheaper if designed into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 architecture and not bolted on. When visibility is an afterthought it can be more expensive.

While I think sampling is better than nothing, using it as an ultra-cheap collection method is not what I would recommend for anyone who is serious about this problem.

I'm all for prevention -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 better. The problem comes when you don't know you are supposed to be preventing. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole point of NSM. It's not just "wait and see." It's "because I didn't even know what I was supposed to be waiting or seeing, I kept track of what happened in my company and now I have some data for investigation purposes."

PaulM said...

I think your best bet against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unknown class of vulnerability or, as is somewhat cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case with pdp architect's new advisories, unknown attack surface, is monitoring for post-attack behavior.

Because while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was nothing looking for (and it will still be a week or so before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's anything that's good at parsing) URIs containing jar: tags, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end result is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same. It's XSS.

If you have a published app that could be exploited, monitor web server logs for shady stuff that your log parser pukes on or just looks out of place.

Or if you have users, look for browser-exploity things like errant .exe downloads, SMTP traffic from DHCP ranges, odd P2P traffic, etc.

Because while attacks change rapidly, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 underlying activity surrounding certain classes of vulnerability change much more slowly. By focusing on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se things, our response team now sends 0day to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AV/IDS vendors on a weekly basis.

PS - Is it pick on ISS week? :-)

Richard Bejtlich said...

Paulm,

Definitely -- I need to blog this, but in brief I see three orders of monitoring:

1. First: Recon and exploitation (traditional IDS/IPS world)
2. Second: Reinforcement, consolidation, and pillage
3. Third: Consequences (company data on P2P networks, posted on .cn Web server, company IP in botnet C&C channel, etc.)

Anonymous said...

very good. thx guys!

Anonymous said...

Richard,

This may be off topic, apologies in advance.

Any thoughts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent burglary at CIHost's Chicago datacenter ? (http://www.cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365register.co.uk/2007/11/02/chicaco_datacenter_breaches/)


Should datacenters also have armed guards (like banks) ?

Richard Bejtlich said...

Vivek,

No comment -- ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs have covered this.