July 31st, 2008
In my last blog post, I asserted that virtualization is from a security point of view very much a two-edged sword.
Nothing supports this assertion more than the Blue Pill rootkit developed by security researcher Joanna Rutkowska, who has developed what she calls a 100 percent undetectable rootkit (”Blue Pill”) that circumvents the Vista integrity-checking process for loading unsigned code into the Vista kernel. This rootkit uses AMD’s secure virtual machine, designed to boost security, to hide itself.
In short, something that was intended to elevate security can be subverted to cause security nightmares.
If a completely undetectable rootkit existed, it would indeed be a catastrophe from a security perspective. Fortunately, however, it is not at all clear that Ms. Rutkowska’s claims are justified-the issue of delectability of this rootkit is currently far from resolved.
It is true that a great preponderance of well-known rootkit detectors cannot find the Blue Pill rootkit. At the same time, however, this rootkit is relatively new. Many researchers are attempting to develop code that will detect it. In time, it is highly probable that one of them will succeed. Additionally, not too long ago two researchers from a well-known anti-virus software company challenged Ms. Rutkowska’s assertion that this rootkit is completely undetectable. They proposed a test involving two identically configured computers, both of which would run the Vista operating system as well as the same applications.
In this proposed test, one of the computers would, unbeknownst to the researchers, be infected with the Blue Pill rootkit, but the other would not be. According to their proposal, the researchers would have to manually inspect both computers to determine which of the computers was infected. If successful in doing so, the researchers would, according to the challenge, win a prize-Ms. Rutkowska’s own computer. If they were not, Ms. Rutkowska would win their computer. Ms. Rutkowska backed down, and in so doing, lost considerable credibility. After all, if the Blue Pill rootkit is undetectable, why wouldn’t the developer stand behind this assertion in the face of such a challenge?
Since the time of the face-off between the security researchers and Ms. Rutkowska, I attended her presentation on the Blue Pill rootkit at a recent conference. She appears to have shifted her position from claiming that this rootkit is undetectable to one in which she proposes possible ways to detect a rootkit of this nature. In this respect, she has been very wise, in that in computer science claims absolutes seldom turn out to be true.
In simple terms, she has proposed hypervisors that monitor what happens within individual VMs, thereby enabling detection of malicious conditions and events.
Ms. Rutkowska’s proposal makes considerable sense. Unmonitored virtual environments spell nothing but potential for major trouble. The moral of the story, therefore, is that security must be ubiquitous; it must permeate every function and process, even if the function or process is virtual.
~ : ~
July 28th, 2008
Author’s Note: Steve Orrin of Intel deserves credit for many of the ideas in this blog entry.
Virtualization is a major trend in the IT arena. There are many reasons to use virtualization, including consolidation of computing resources, dynamic load balancing, failover capabilities, ability to perform maintenance without downtime, ability to pool computing resources, ability to use custom virtual machines (VMs) as a container for application delivery, and much more. Virtualization will be a major part of computing for a very long time.
Virtualization’s benefits go far beyond efficiency, functionality and continuity, however, in that virtualization also offers much for information security.
VMs can be used to isolate processes from attackers and malware, making systems and applications more difficult to successfully attack or infect. User access to applications can be tightly controlled in that virtualization allows special applications to be isolated from end-user applications, making unauthorized access to the former very difficult. Even if a system or application that runs in a virtualized environment is successfully attacked, any impact resulting from the attack is almost always attenuated. The ability to spread attacks (particularly due to malware-based infections) is thereby reduced.
A good example of the usefulness of virtualization in the information security arena is the way Java applets run in a “sandbox” environment in the Java VM. The sandbox restricts capabilities such as reading or writing to files on each local computer, starting or calling programs on each local computer, and obtaining network connectivity to the same computer from which applets have been loaded.
Invariably, however, nothing is perfect, and security in virtualized environments is no exception.
“Hyperjacking,” in which an attacker crafts and then runs an ultra-thin hypervisor that takes complete control of the underlying operating system, can occur. Additionally, even in virtualized environments it is possible to steal data from layer 2 traffic by configuring a network interface card such that it runs in promiscuous mode.
Furthermore, virtualized environments typically are characterized by great diversity, something that can interfere with IT standardization and compliance efforts.
Consider, for example, virtualization in the Java applet environment. Although Java applets are typically run as part of a web page, they can be downloaded and then run locally as a file without being subject to the sandbox’s restrictions.
The sandbox does not always function as intended, either. Applets can, for example, send information from computers on which they execute to other network-connected systems, thereby substantially raising the risk of unauthorized disclosure or theft of stored data and programs.
The “bottom line” is that from an information security perspective, virtualization is a two-edged sword. Virtualization should not be viewed as a security panacea, nor should it be viewed as an opened Pandora’s box.
At the same, it behoves information security professionals to not only thoroughly understand virtualization and its advantages and disadvantages from a security viewpoint, but also to keep up with changes in virtualization that not only have occurred in the past, but also one that will undoubtedly continuously occur in the future.
~ : ~
July 24th, 2008
A very good friend of mine over the years just lost his job. He was a deputy program manager with a very large corporation that has a well-advertised computer usage policy that does not allow files that are not business-related to be on any of this corporation’s computers. My friend was on vacation for a while, and during this period he transferred several attachments sent to him by a family member to his USB storage device.
When he went back to work several weeks later, forgetting the contents of this device, he used it to make a “sneakernet” file transfer from his computer to another. This corporation has implemented a mechanism such that starting the instant a computer connects to its network, all files in that computer’s file system are immediately backed up. Unfortunately for my friend, the USB storage device had the files that his family member had sent him, and so these files were also backed up. Soon thereafter someone identified these files as non-business-related, triggering a swift termination procedure for my friend.
If what happened to my friend were the only story of this kind, I would not have taken the time to write a blog entry on this subject. Unfortunately, I have become aware of numerous incidents involving unduly harsh punishments meted out to unfortunate employees who have not intended to violate an organization’s information security policy.
In one case, an employee got into a lot of trouble because this person’s organization forbad the use of corporate email for personal reasons. Using his best judgment, while on the job this employee responded to a message that was borderline in its content-in some ways it appeared to be business-related, but in other ways, it did not. A technical staff member whose responsibility was to monitor the content of email traffic flagged the message as non-business related. At an ensuing hearing, management backed the technical staff member’s judgment and subsequently issued a formal reprimand that went in the employee’s personal folder, thereby limiting that employee’s career growth potential from that point on.
In yet another ugly episode that occurred nearly ten years ago, a system administrator launched a set of vulnerability scans within the portion of the network for which he was responsible. Unfortunately for him, the scans were not configured 100 percent correctly. A few hosts within the purview of another system administrator were thus also scanned, something that triggered an alarm.
My suspicion is that very little would have resulted from this mistake if not for the fact that one of the machines that was accidentally scanned was the computer owned by a high-level manager. This machine was vulnerability-riddled and so badly misconfigured that it constituted a major security hazard, something that was apparent to all who inspected the scan results. The manager threw the book, so to speak, at the system administrator, charging him with unauthorized access to his computer as well as other security-related misdeed. After a dreadfully long and painful process, the system administrator was for the most part, but not completely vindicated.
The point of these depressing accounts of employees being nailed for marginal infractions of information security policies is that security does not exist for the sake of security. Blindly applying the provisions of (and especially prescribed punishment therein) such policy leads to incredible injustice. Information security must be reasonable. Creating an information security policy, something that I have discussed in previous blog entries, is very important, but enforcing the provisions of a policy in a reasonable manner is just as important.
~ : ~
July 21st, 2008
I attended the ISSA-LA meeting last Wednesday. While I was eating lunch there, someone first told me about the nasty insider incident that occurred recently in San Francisco.
A city of San Francisco computer engineer, Terry Childs, allegedly reset all network administrators’ passwords in the city’s network, which then became inaccessible for an extended period of time.
The total loss resulting from this incident was estimated to be $250,000. Childs, who has since been arrested and charged with computing tampering, was allegedly unhappy about a law enforcement investigation that ensued after tampering activity within the network had been discovered.
Although more dramatic than usual, this incident is by no means unique. Time-after-time incidents such as this one occur, with disgruntlement being the most common motive.
It is surprising to me, however, that organizations learn of attacks such as these, but do little in response afterwards. I would think that at a minimum, information security staff would reexamine the most recent threat and risk analyses to determine whether insider attacks were considered and weighted sufficiently.
It would also be reasonable to reexamine the level of residual risk due to insider activity to determine whether this level is still acceptable and, if not, what additional controls need to be implemented. But even if information security staff were to do all these things, I would not count on senior management being any more concerned about the insider threat than before, nor would I count on them to allocate more resources for controls that counter insider-related risk.
The city of San Francisco incident once again shows just how critical monitoring of not only externally initiated activity, but also internally initiated activity is.
Unfortunately, most intrusion detection systems are geared much more towards detecting externally-initiated attacks, and I am sure that whoever changed all the network administrator passwords carefully erased all evidence of this activity in the audit logs of the systems in which this activity transpired. Use of technology designed to detect insider attacks would have made all the difference in the world, in that the tampering activity would almost certainly been discovered earlier and the culprit could most likely have been identified before the catastrophic outage occurred.
Additionally, this incident points to the need for better and more frequent background investigations, particularly for employees who hold critical positions in the IT arena.
Most system and network administrators are beyond reproach, but let’s face it, some of them are not. Nevertheless, as a whole, system and network administrators are trusted way too much.
Given that they are granted virtually unlimited power in the systems and networks that they administer, these individuals need to be under greater scrutiny than others, yet they are usually not.
Thorough background checks need to be performed not only when personnel such as these are going through the hiring process, but also every year or two after they are hired.
Interestingly, in 1982 Terry Childs (who, by the way, may or may not be guilty of the tampering charges he is facing) was convicted for aggravated burglary and was put on five years of probation.
Yes, the city of San Francisco incident leaves some very valuable “lessons learned.” Whether or not they will be heeded is, however, an entirely different matter.
~ : ~
July 17th, 2008
I recently read a newspaper article that discussed some of the fallout that has resulted from the recent problems with the US economy as well as economies elsewhere. The article stated that commercial stores are experiencing a substantially larger amount of shoplifting; theft by internal employees is also greatly on the rise. Given the severity of the current economic plight, there is no immediate end in sight.
More than simply goods, food and gasoline are at elevated risk of theft, however.
I’d also be more than willing to bet that information security-related risk has soared as the result of the current economic hard times. Lack of economic well-being is one of the greatest motivators of all kinds of crime, computer-related crime very much included.
For years, groups and individuals from various countries around the world, but particularly countries in which economies have not been faring well, have been breaking into computers that store financial information and that run business transaction applications that can be subverted to funnel money to somewhere where the perpetrators can collect it covertly and safely.
Break-ins are, however, only part of the overall problem. Because extortion is another way to make money, I’d expect the number of actual and threatened denial of service and other attacks to also greatly increase. Furthermore, substantial growth in the number of social engineering attacks, especially attacks designed to steal industrial secrets that can be sold to information brokers and others, is likely to occur.
The paradox is that while information security-related risk is on the rise, significant cutbacks in the number of information security staff within organizations are occurring.
I would truly hate to be an information security professional looking for a job right now; over the last 25 years, I have seldom seen a time period when so few job openings in information security are being advertised. What is truly sad, however, is that despite all the progress in the field of information security over the years, apparently a too-large proportion of senior managers still do not truly value information security sufficiently to understand its potential value, especially its value during time of substantially elevated information security risk.
All this shows that we still have a long way-a very long way-to go in “making the sale” to senior management. I suspect that despite all our strategies and methods for doing so, the best leverage with senior management is the leverage that comes with reading newspaper headlines concerning catastrophic security breaches that have occurred.
Even though such headlines will continue to persist, some senior managers will nevertheless continue to live in a state of ignorant bliss regarding information security risk awareness and management by thinking that “it happened to them, but it could never happen in my organization.”
Increased theft in stores will almost certainly continue to occur in the foreseeable future. Hand-in hand will come a growing number of reports about costly security breaches motivated by the desire to profit. They have occurred before, they are occurring now, and they are more likely than ever to occur at an accelerating rate as long as economic conditions remain unfavorable.
~ : ~
July 14th, 2008
Just when it seemed as if all were quiet on the Western front, Jeanie Larson, the Department of Energy’s (DOE’s) program manager for incident response, shattered the silence during her presentation at the recent Government Forum of Incident Response and Security Teams (GFIRST) conference.
In a nutshell, Jeanie said that although fewer attacks against US government networks are occurring, the state of security is by no means better. Instead, attackers are more carefully choosing their targets, usually by focusing on a few government employees and contractors whom the perpetrators believe have information that is highly valuable to them, then using various methods (email, malicious Web sites, and more) of infecting their computers with malware that captures all input and output.
The targets are chosen through extensive reconnaissance and intelligence-collection activities that often last for months before an attack is ever carried out. Much of the malware hides itself very carefully after it is loaded into a victim system, and then it deletes itself when an attack is finished. Perimeter security is ineffective in countering these threats. Cooperation and information sharing among government agencies is vital in dealing with these threats, but neither is happening. The full story is at http://www.federalnewsradio.com/?nid=169&sid=1415201.
I’ve already written about this general topic (see http://www.high-tower.com/blogs/gschultz/strategies-for-dealing-with-latest-cyberattacks-the-need-to-reinvent-the-wheel/), but Jeanie has contributed a good deal of valuable additional information. Because statistics indicate that increasingly fewer cyberattacks have been occurring, the temptation to relax one’s guard (in particular by allocating fewer resources to address the problem) grows. However, there is more need now than ever to resist this temptation.
Metrics, such as the number of attacks, thus do not accurately depict what is really happening. Additionally, individuals are increasingly the targets of attacks, yet I wonder how many US government agencies have actually considered and dealt with the potential value of what each employee and contract knows in their risk analyses and security control strategies.
The fight against cyberperpetrators is now not so much on a network-by-network basis, nor on a system-by-system basis, but rather on the level of individuals and the knowledge they possess-a very problematic shift in today’s security risk landscape.
Where is all this going?
Government agencies now need to cooperate with each other more than ever before, but they are not doing so. Lack of cooperation among government agencies is really nothing new. For many years, or at least as long as I can remember, government agencies have not cooperated with others. When I managed the DOE’s incident response team, I remember plenty of cooperation from NASA and the Department of Defense, but not from many others.
Why? Frankly, bureaucratic barriers with governments are almost insurmountable. Additionally, to survive, agencies need to hold on to power as strongly as they can. New information, especially information about international espionage attempts, translates to power; to share it thus means to dilute one’s power.
The good news is at least that the DOE is attempting to counter the problem by using systems that capture all email messages, inspect them on the basis of the likelihood that they contain malware, and, if appropriate, quarantine them for more analysis. The bad news is that the cyberattacks that are occurring will continue to change over time to avoid today’s detection technology. And there is no end in sight.
As was once said, may the times in which you live be interesting. Clearly, in today’s cyberworld this wish has been fulfilled.
~ : ~
July 3rd, 2008
Many information security professionals have done much good for the information security profession, so many that to single them out would take forever. Some have done so much, however, that they deserve special recognition.
Don Evans of the United Space Alliance is one such individual. Don just retired on June 5, 2008, and although I was unfortunately not able to attend his retirement ceremony, I would imagine that there were not many dry eyes among the attendees when all the nice things about him were being said.
Don is above all else one of the finest human beings I have ever known. He is a living embodiment of kindness, graciousness, honesty, fairness, unselfishness, and personal maturity—a true model for others to follow—yet few professionals have accomplished as much as Don has.
Don’s accomplishments include (but are by no means limited to):
- Being one of the early leaders of the information security/information assurance effort within the NASA community. He did this despite a plethora of obstacles, including political wars, bureaucratic entanglements, lack of funding, lack of staffing, and (much too often) widespread ignorance and apathy.
- Contributing significantly to the development of the Generally Accepted Security Principles (now called the Generally Accepted System Security Principles or GAISSP). These principles represent that most fundamental and important concepts in the field of information security. No one could have identified and communicated these principles better than Don.
- Helping get the CISSP certification effort started and sustaining it long afterwards. The success of CISSP certification has been phenomenal, and no one worked harder to achieve this level of success than did Don.
- Working tirelessly on conference planning committees. I honestly do not know on how many of such committees Don has served over the decades, but the number must be staggering. I remember speaking at conferences in Houston and Clear Lake, Texas in the late 1980’s, when I had not been in the field of information security all that long. One of the first things I learned was that Don was one of the major figures who organized and ran these conferences.
One thing about Don that earned my utmost level of respect was Don’s ability to remain cool and collected, no matter what the circumstances. He worked behind the scenes on his job and developed a great deal of rapport with senior management. He got what he felt was right without trying to bowl people over, but instead by treating others with unselfishness and respect for them—even those who did not deserve it.
Several years ago Don became seriously ill and almost died. Huge amounts of concern and sympathy surfaced from within the information security community and also elsewhere. Don pulled through his health crisis and now looks ultra healthy.
Predictably, Don is going to work a little bit for the NASA community while he is retired. Let’s just hope that he doesn’t work too hard-no one so richly deserves a great retirement as does Don.
~ : ~
