Internet Security Systems - AlertCon(TM)

Internal Security Expertise - Have you got the balance right?

Posted by Gunter Ollmann on September 02, 2008 at 4:52 PM EDT.

As I’m sure you’re already aware, security doesn’t come cheap. While individual security technologies get cheaper as they commoditize, the constant influx of new threats drives the need for new classes of protection and new locations to deploy them – meaning that organizations rarely see their IT security budgets shrink.

But, having said that, where does most of that expense go?

If you were to examine a typical organizations IT security budget, you’d probably see that the majority of spend isn’t in new appliances or software license renewals, instead it’ll lie in the departments staffing costs – appearing as salaries, compensation, training and certification, etc.

This is at odds with the way most organizations normally deal with specialized and professional skill requirements. For example, unless you’re a specialized legal firm, the probability that your organization needs to employ its own full-time board-certified legal team is practically nil. Sure, your organization probably warrants an internally staffed legal council position, and maybe some sufficiently trained support staff – but you’d unlikely to be able to justify employing a dedicated bar-certified team, and then expect to keep them trained and certified in all the latest legal advances. Just about every organization I deal with (including some of the biggest international companies) relies upon external agencies to provide these specialist services and consultancy – as and when required – it’s more cost effective that way.

With that in mind, why are organizations building up their own highly-trained (and expensive) specialist internal security teams? Granted, some of the security technologies being deployed by organizations are relatively complex, but do they really require a Masters degree and CISSP certified experts to babysit them full-time? From my perspective, if they do require that level of internal skill and support, the protection technology was either inappropriate for the business or it’s been poorly configured and not optimized for actual business needs.

Sure, you do need to maintain some baseline level of security skills and headcount in order to ensure the efficient operation and delivery of business continuity. And maybe you’ll also require some level of escalation and response if you’re large enough and under a barrage of targeted attacks. But, is the balance correct?

Tapping Expertise

If lawyers aren’t your thing, how about an example of first aid? Most organizations will have several employees trained in basic first aid, and will regularly retain and refresh their skills. Their role is to be the first on the scene, do what they can to advise or remediate the problem and, most importantly, understand when to call in the experts. While some organizations may even have a dedicated nurse on staff, what you’re not going to find are a bunch of salaried doctors and surgeons on the full-time payroll looking after just their employees (unless you’re in the military).

It doesn’t make sense to operate that way, and yet organizations are still failing to make the same leap for security professionals – adopting the more cost effective outsourced-expert practices they already have in place for other specialist service areas.

The security marketplace has evolved considerably over the last 5 years, and there are plenty of service providers out there that can provide one-on-one access to qualified and experienced security professionals capable of meeting with any security requirement an organization is likely to have. Nowadays you can tap in an incredibly broad range of expertise – ranging from hard-core security researchers capable of helping you evaluate the security of new products you’re thinking of buying and deploying throughout your enterprise, through to 24x7 security sentinels; so knowledgeable about the security product you’ve deployed that they’re capable of guaranteeing protection with money-back SLA’s.

It costs a lot of time and money to develop and grow a top-notch security professional. And, once they reach that level, it requires a lot of time and effort to maintain those skills. Just like learning a new language, while you can do a 4-week intensive course to learn the important bits – it doesn’t make you fluent – and, more importantly, unless you constantly practice those skills, you’ll lose them quick enough. So, for those organizations that believe in training up their internal security teams to “professional level”, are they really investing those hard-fought budget dollars in the right place? How are the latest batches of security professionals going to keep their skills honed to a fighting edge for this time next year when they may or may not be needed?

I know that some organizations may have concerns over “outsourcing” certain skills and support for fear of breaches in confidentiality and security etc. – and yet they don’t give a second thought to contracting an external legal firm to deal with their most confidential contracts, employing external accountants to look over their financial books, or even providing all-access keys to their external cleaning company.

I think that a change in mindset is well over due. Organizations should take a closer look at their security budgets and evaluate whether they’re getting the right value out of their internal teams and whether their skills investment meets the daily need of the business.

Hackers Prepare UK Supermarket Sweep

Posted by Gunter Ollmann on August 29, 2008 at 12:21 PM EDT.

The BBC has a story running concerning the targeting of self-checkout systems in UK supermarkets – Hackers Prepare Supermarket Sweep. It covers some investigative work in to the underground forums that discuss techniques in using stolen credit card details in the UK – in particular, the use of self-checkout systems so that the criminals can avoid contact with store staff that may spot the fake cards.

I’d recommend having a read of the story (and watch the news clip) if you get a chance, it’s a good primer on one popular aspect of this class of crime and helps answer one of those nagging questions as to who actually purchases/uses all those stolen identity and credit card details we hear about every day.

But, with that in mind, there are a few points that I think need some clarification.

While the story is concerned with the use of foreign (e.g. US) credit card details fraudulently being used in UK supermarkets, it’s important to understand that any stolen credit card details could be used. In this case non-UK (and I’d expect non-Europe) credit card details are preferred because of the widespread use of Chip & PIN technologies – which make it more difficult to defraud an account than just reprogramming (cloning) a cards magstripe.

The use of self-checkout systems is obviously a preferred vehicle for reducing the probability of detection by store personnel – especially if the criminal has simply reprogrammed the magstripe of one of their own cards (and the printed/embossed card details won’t match the magstripe data). But having said that, the process of simply printing and embossing your own counterfeit card is downright trivial and will only cost a criminal team a few hundred dollars to set up shop (see my previous blogs on how to create your own credit cards – including Chip & PIN cards). And, with a little charm and social engineering, a criminal armed with freshly minted counterfeit credit cards could make higher value purchases by going through the regular sales (person-to-person) channels.

I guess in this reported case, I’d be inclined to say that the investigation stumbled on some relatively inexperienced (dare I say “amateur”?) credit card criminals. Why? Well, firstly, they appear to be trying to figure out how to do this from scratch through Internet postings (dumb idea!). And secondly, they're preoccupied with routes that don’t require physical interaction with store staff. Sounds like a bunch of chavs trying to advance their criminal career.

The story itself terminates with a kind-of call-to-arms for the US to adopt Chip & PIN technologies. I’d love for that to happen, it’s a more efficient technology than magstripes and signatures – but let’s not get carried away in thinking that the technology is going to stop dead this class of fraud. As I’ve repeatedly pointed out in the past, Chip & PIN card technologies are already defeatable through various techniques (through both technology and social engineering). Chip and PIN helps raise the anti-fraud post a little higher, but is still well within the range of any marginally technical criminal.

OWASP 2008 - “Multidisciplinary Bank Attacks”

Posted by Gunter Ollmann on August 28, 2008 at 12:37 PM EDT.

In case you haven’t already noticed, the OWASP AppSec 2008 conference is now less than a month away. If you’re in to the cutting edge of Web application security, then this is the conference you really should be attending. While the big conferences like Blackhat and RSA are a security professionals Mecca, they only touch lightly upon what’s really happening in the AppSec world – the New York OWASP conference is where you’ll see and hear about the latest Web application attacks, threats and mitigation strategies.

I’ll be there for the two day conference (September 24th to 25th) – in fact I can’t really escape not attending as I’ll be speaking on the first day, and IBM is a sponsor to the event.

There are a whole bundle of talks I’m planning on attending this year. The ones of most interest to me include Arian Evans “Threading the needle” (because I’m interested in evasion techniques and have published quite a bit on the topic for many years), Daniel Cuthbert’s “OWASP Testing Guide – Offensive Assessing Financial Applications” (because I’m always interested in seeing which methodology components others emphasize, and it relates a little to my talk as well), Arshan Dabirsiaghi’s “Next Generation Cross Site Scripting Worms” (because I want to make sure we already preemptively protect against all these automated vectors) and Tyler Hudak’s “Automated Web-based Malware Behavioral Analysis” (because the title sounds interesting and maybe relevant – but no real details, so I hope it doesn’t prove to be a irrelevant history lesson).

My Talk

So, my talk at the OWASP conference is going to be a little different from the norm. Sure, it’ll have all the scary real-threat examples that I’m notorious for, and will probably have several people questioning whether they should use a Web browser to access their online banking accounts ever again, but ideally it'll also have people rethinking their banking application design.

The talk I’ll be giving, titled “Multidisciplinary Bank Attacks”, concerns the new paradigm shift that is necessary for banks to really begin to counter today’s real-world threats against the customers using their online services. While the talk will be more oriented towards the security professionals responsible for the assessment and penetration testing of online banking portals, it’ll be heavily weighted towards understanding how and why malware attack vectors are so successful – and why all this multi-factor, out-of-band authentication hoopla has been pretty-much defeated for quite some time and largely irrelevant to the cybercriminals.

“Multidisciplinary Bank Attacks” will cover how malware, running on a banks customer’s computer, needs to be factored in to the way the security of an online banking portal is assessed, and the types of Web application design that can help mitigate degrees of the threat. It’s not about how to use malware during a penetration test, but how the pages construction and poor application logic can increase the likelihood of customer fraud.

There’ll be an element of how multi-factor authentication technologies are currently defeated, same too with the out-of-band validation technologies, along with the newer fund transfer transaction signing systems. The “trick” is really in understanding how social engineering is combined with man-in-the-browser technologies to shim the banking portal pages, and factoring in how customers trust page elements for validation.

One thing’s for sure, the attendees will be learning lots of new stuff – some of it scary, but lots of things that can be directly applied to the next generation of online banking application security.

Web Browser Incompatibilities

Posted by Gunter Ollmann on August 10, 2008 at 6:52 PM EDT.

What a relief, Blackhat and DEFCON have drawn to a close, and I can finally escape Las Vegas. Six days straight in this Styrofoam-molded Disneyland for adults have left all the usual physical and mental scars. I feel like I should be wearing a “I survived Las Vegas” t-shirt – especially after fumbling around early this morning looking for anything with caffeine in it prior to getting on stage for my presentation.

Despite having the first early morning slot on a Sunday, I was pleasantly surprised to see so many people making it to the presentation – with the only noticeable absentees being the blokes I was out partying with the evening before (perhaps they decided to go to church instead? Hah).

The presentation itself went by without any problems and was well received, and there were a number of follow-up questions digging in to some of the finer points about the datasets and context.

Anyhow, following the talk I had a bit of a discussion about the merits of how corporates should be handling the threat of these mass defacements with drive-by download payloads – in the face of having to stick with old, outdated and insecure browser versions because of compatibility issues with legacy internal applications.

In a nutshell, if you read the whitepaper I helped produce on Web browser Insecurity – “Understanding the Web browser threat” – you’ll have seen that we found Firefox's updating mechanism to be the best of all the Web browsers, and that we believe that promptness in applying patches and updates is critical against today’s threats.

The problem though is that Microsoft Internet Explorer is pretty much ubiquitous as the Web browser of choice in the corporate world, and a high percentage of installations run out dated versions (e.g. IE 5 and IE 6). Most organizations will cite that the key reason for this is for compatibility for legacy and internally developed Web 1.x-2.x applications. And, depending upon how those critical business applications were originally created, there’s a high probability that updating the default IE 5 or 6 installation to the most secure IE 7 version will overwrite key ActiveX controls on the employees desktops and render those applications “broken”.

The Internet side of the threat to these organizations comes in to play because their employees now rely upon these very same insecure and outdated Internet Explorer technologies to surf outside of the intranet. Basically, the organization needs to make a risk evaluation of whether business continuity is more at risk of breaking the internal application (rather then fixing the application itself by removing that dated browser dependency) or from some Internet Web browser threat. If we were having this discussion a couple of years ago, then I think there may have been some kind of debate. Now, today, the risk of an internal compromise to business continuity by allowing employees to surf the Web with year-old Web browser technologies is fast approaching unity – i.e. you better have a good disaster recovery plan (if not, don’t worry, you’ll get a lot of practice refining it...).

OK, let’s pause for a second though. If you’re a corporate, and you can’t upgrade/update your Internet Explorer installation, why not run two different versions of Web browser on the same machine? Granted, you can’t install multiple versions of IE on the same host – but you can install any of the others (E.g. Firefox, Opera, Safari, etc.).

And that leads me to my recommendation really. If you rely upon an old version of Internet Explorer for business application compatibility, install a SECOND web browser for doing the "Internet stuff" (I’d recommend Firefox because of its security features and speed of auto-updating).

To get around some of the “employee compatibility” issues, how about having two icons on the desktop – one labeled “Work” (Internet Explorer) and the other “Internet” (Firefox) – so that users know which one to use (or not to use).

If you’re not already doing so, use a Web proxy service (I’d also advise you to make sure it includes URL filtering technology), and configure it to stop users from using the wrong Web browser accessing the Internet. I.e. use the Web proxy service to interrogate the USER-AGENT string of the request and, if it’s Internet Explorer, redirect them to an internal help page informing them that they’re using the wrong icon/browser.

Similarly, you can employ the same tactics for stopping them from using Firefox for internal “incompatible” applications.

Operating this way is no more difficult than educating your employees to use Word to open documents, and Excel to open spreadsheets.

Granted, there may be some internal issues/requirements for getting Firefox added to any standard or “gold” desktop builds, but you’ve got to be a little blinkered if you’re letting employees blindly surf the Internet with out of date Internet Explorer versions.

BTW – now don’t get me wrong, a current fully-patched version of Internet Explorer (i.e. version 7) is about as safe as any of the other popular Web browsers out there from a security feature perspective. But until you either fix all the incompatibility issues the latest IE version has with your internal applications, or you figure out how to run multiple versions of IE on the same desktop installation, you really should be looking at using an additional current generation Web browser technology for Internet surfing.

Blackhat & DefCon - Las Vegas 2008

Posted by Gunter Ollmann on August 04, 2008 at 8:06 AM EDT.

As most technical security professionals are profoundly aware of already, its Blackhat and DefCon week in Las Vegas this week, and it’s going to be a long and sleepless week for those attending. I’m actually looking forward to attending both events this week, but it’s tempered with having to be in Vegas for 6 days straight!

The speakers lineup for Blackhat is pretty interesting this year, and I thought that (unlike previous years) I’d actually take a stab at pseudo-deciding which talks I’d try attending (I’m prefixing it with “try” because, as anyone who’s been to Blackhat Las Vegas before knows, there are a lot of last minute distractions, pullouts and overlapping talks).

Now, if you’ve been watching the preamble press for Blackhat (i.e. feeding frenzy), you’ll be aware that there are three critical talks this year and, like the 4,000 other attendees, I’m aiming to include those talks…

(1) Dan Kaminsky’s “Black Ops 2008 -- Its The End Of The Cache As We Know It” is probably the most overhyped talk for the event and, while I’m not expecting to see anything new from what’s already been published over the last few weeks relating to that DNS issue, I do like to people watch – and I’m pretty sure that the media swarm this year is going to be of epic proportions.

(2) Mark Dowd’s “How To Impress Girls With Browser Memory Protection Bypasses” will be the most awe-inspiring talk of the show and will likely blow the minds of anyone that’s not regularly sitting in front of IDA Pro for more than 4 hours every day. That said, if you’re a top-end developer having to code memory protection mechanisms, you’d have to be out of your mind to not sit in on this talk. Look, listen, take notes, and remember!

(3) John Heasman’s “The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation” (along with Nathan McFeters and Rob Carter of course) talk covering new browser attack vectors including the evolving GIFAR (JAR archives that look like GIF images) will be very interesting.

Of course, the first immediate problem I see is that Mark Dowd is on at exactly the same time as John Heasman (3:15pm on Thursday). Given that hiccup, I’ll probably end up attending John’s talk because I’m more in to studying client-side attacks at the moment; and besides, it’s not as though I couldn’t catch up with Mark back in the office afterwards. That said, Jeff Moss, if you’re reading this blog, can I convince you to make a last minute change to the schedule and remove the overlap? There’s a beer in it for you ;-)

The other talks sounding the most interesting to me, and are ones that I’m adding to my hit-list, are:

(4) Michael Ossmann’s “Software Radio and the Future of Wireless Security” because it’s an area I’ve been interested in ever since I shoved a 100MHz Oscillator card in to my 486DX and hooked it up to an X-band radar – and the fact that software radio’s are the bread & butter research tools for any current generation RF hacking.

(5) Lukas Grunwald’s “Hacking and Injecting Federal Trojans” because I’ve been heavily involved in the new banking Trojan attack vectors for quite some time and have keeping an eye on what’s happening with German lawful interception technologies. (But it’s on at the same bl**dy time as Dowd’s and Heasman’s presentations! Jeff, come on, are you doing this on purpose?)

(6) Shawn Embleton’s “A New Breed of Rootkit: The System Management Mode (SMM) Rootkit” because, as a former silicon guy, I like hearing about new dirty tricks – although I have some doubts about its stealth.

While those 6 talks are on my hit-list, I’ll be playing it by ear on the day as to which other talks I end up attending.

DefCon

Then of course there’s DefCon running Friday through Sunday.

I always enjoy DefCon – perhaps more so than BlackHat – because of the shear breadth of talks and more relaxed feel to the proceedings. I’ve also found that speakers that have done the BlackHat/DefCon circuit give much better talks the second-time round at DefCon because they’re similarly relaxed - and the Q&A times tend to be more insightful.

I’m not going to even try to list the talks I’m aiming to attend because there are too many and, based upon any previous year’s experience, bumping in to former colleagues and clients often means that the plan of the hour gets rapidly ditched.

That said, there is one slot I HAVE to attend – 10:00 Sunday morning – as I’m delivering the talk “Exploiting A Hundred-Million Hosts Before Brunch” with my good friend Stefan Frei. I guess we must have upset the scheduling gods (or did I offend too many of the Goons last year?) to have been cursed with such a soul-damaging slot. I just need to decide whether 10:00am is a very early or a very late slot to give the talk – it all depends upon what the evening before has planned...

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.