August 28th, 2008
In IT security many known and reasonably proven security control solutions (network traffic filtering, encryption, access control lists, and much more) exist. Strangely, one very powerful solution, IT standardization, too often gets overlooked when people consider various control solution options.
A good example is chapter three in the CISM examination preparation manual, much of which covers IT security technology. This chapter mentions many security technology options, but, strangely enough, does not mention IT standardization as a viable security control measure. In this respect, this manual (which, by the way, I very much like overall) is by no means unique. IT standardization is a proven way to cut down IT costs, but as a security control this measure too often gets too little notice.
The most widely used version of IT standardization is the standard desktop. Larger organizations, particularly Fortune 500 companies and certain agencies within the US government, are the leaders in this area. From a security point of view, advantages of adopting a standard desktop include:
- A more secure out-of-the-box configuration. Most standard desktop efforts include provisions for having desktop systems vendors build and then ship systems preconfigured to customer specifications. Provided that specifications include configurations that are conducive to security, new systems are secure right from the start.
- Better conduciveness to patch management solutions. Differences in configurations of systems are one of the biggest problems in patch management. Systems with certain configurations are likely to fare well after new patches have been installed, whereas others with different configurations are not likely to do so. A standard configuration is thus likely to cause fewer complications in patch management.
- More efficient security monitoring. Inspecting system settings to spot unauthorized changes is one of the best ways to discover security breaches as well as unauthorized tampering. Inspecting systems that are built and maintained in accordance with a standard desktop configuration makes spotting unauthorized deviations much easier, as opposed to having to analyze a range of configurations because of lack of standardization.
- More efficient change management. A standard desktop also facilitates change management by making the transition from point A to point B more predictable. Testing in non-production environments thus results in greater certainty about what exactly will result once a change is made. In contrast, lack of standardization means that there is no single point A from which to start, making the transition to point B (or, most likely in reality, a number of somewhat different point B’s) much less predictable. Change management is particularly important in information security because change almost inevitably introduces new security-related risk.
The US government has in particular had great success in its desktop standardization efforts with its recent massive Federal Desktop Core Configuration (FDCC) initiative involving over 450,000 computing systems. The US Air Force, National Security Agency (NSA), National Institute of Standards and Technology (NIST), and Defense Information Systems Agency (DISA) worked together to produce a standard, secure configuration for two versions of Windows operating systems.
They then utilized their procurement process to ensure computer vendors delivered computing systems with this configuration. The result was not only substantial reduction in system administration costs, but also more efficient patch management and better user support. Curiously, very few legacy applications were adversely affected by the standardization.
If you are an information security or an IT professional, you would do well to give IT standardization proper consideration when you are deliberating among possible IT security controls. From a security perspective as well as from a more general IT perspective, IT standardization can deliver a much more favorable than average cost-to-benefit ratio than many other alternatives.
~ : ~
August 25th, 2008
A recent news item described Virgin Media sending warning letters to roughly 800 of its customers cautioning them to avoid downloading illegally copied materials. Virgin Media’s effort is in connection with the British Phonographic Industry’s (BPI’s) campaign to identity illegal file sharers and then report them to Virgin Media, which has agreed to send out warning letters such as the ones it recently sent.
I am very sympathetic with the current plight of both the recording and movie industries, both of which lose huge amounts of money due to piracy. Despite legislation designed to protect both of these industries by punishing individuals who illegally copy and share music and movies, the situation has, if anything, gotten worse. It is easy, therefore, to understand the desperation of the BPI, the Recording Industry Association of America (RIAA), and Motion Picture Industry Association (MPIA).
Crackdowns of any nature invariably have unjust fallout, and the crackdowns by the music and motion picture associations have been no exception.
Numerous individuals have ostensibly been unjustly charged with illegal file sharing. Additionally, some crackdown efforts have proved to be excessive and draconian. You may recall the case of 12-year-old Brianna LaHara, a New York honor student whom the RIAA sued for illegal music downloading five years ago. Bianna’s mother had paid a $29.99 fee to KaZaA for a music service that she thought would allow downloading music at will. Brianna faced a potential fine of $150,000 per illegally downloaded file, but after the tide of public opinion turned overwhelmingly against the RIAA, the RIAA reached a settlement with Brianna in which she had to pay only $2,000.
What bothers me most about the efforts of the music and movie industries, however, is how flimsy the evidence of illegal content downloading that they too often obtain is, but then they blow that evidence up to the point that they accuse those they have identified of major copyright statute infringements.
A good example occurred when I was at the Berkeley Lab not all too many years ago. A HoneyNet in which most ports of the virtual servers therein appeared to be open and listening had been set up for research purposes. Some of these ports are commonly used by peer-to-peer (P2P) file sharing programs such as KaZaA, Gnutella and eDonkey.
Sure enough–not too long after the HoneyNet was put in place, the RIAA sent Lab management a threatening letter instructing it to cease and desist in allowing illegal file sharing activity there.
Lab management sent a reply explaining that there was no illegal file sharing activity, but instead that a HoneyNet used to study attacks gave the appearance that the ports in question were open. Not long afterwards the RIAA showed that it had not read the letter, did not understand, or did not care (or possibly all three) by sending a second, even more threatening letter.
Clearly, clowns rule the circus when it comes to at least some of the RIAA’s witch hunts.
What happened at Berkeley Lab was by no means an isolated incident. The BitTorrent file sharing protocol is widely used for completely legitimate purposes, such as downloading patches for Linux systems. Despite this, the RIAA and MPIA have threatened to sue many hundreds of users who have utilized this protocol legitimately.
Additionally, the RIAA and MPIA sometimes act on completely ludicrous false alarms without even investigating whether they were even marginally legitimate. In some cases, for example, these associations have threatened to sue individuals who have remotely accessed printers, or who have accessed wireless access points.
History has so many times taught us that it is possible to take up a just cause, but fight the battle in a manner that guarantees defeat. I fear that unless the entertainment industry makes radical changes in its crackdown strategy, defeat will be the inevitable outcome.
~ : ~
August 18th, 2008
Defending Web servers and applications against attacks is one of the most difficult tasks that information security professionals and others face. The facts that Web server locations are normally well advertised, applications are often complex, and that many automated ways of attacking frequently used Web services and protocols exist only exacerbates this already difficult task.
Not too many years ago a particular Web server, the Internet Information Services (IIS) Web server, stood out as a particularly easy target to attack.
According to attrition.org seven years ago, 21 percent of the web servers on the Internet were IIS Web servers, yet over 60 percent of all reported web page defacements and break-ins into Web servers involved IIS Web servers.
Among the many vulnerabilities in IIS implementations at that time was the fact that IIS ran with SYSTEM privileges, the highest level of privileges in Windows systems.
If an attacker or exploit tool exploited a vulnerability, the result was thus often unauthorized SYSTEM privileges, meaning that the attacker or malware now effectively owned the system.
Furthermore, by default older versions of IIS were installed on the system drive, something that exposed system directories and files because they were in close proximity to IIS-related directories and files. Perpetrators quickly devised directory traversal tricks that gave them access to critical system configuration files and executables.
Older versions of IIS also did not adequately screen input to stop buffer overflow, denial of service, and other types of attacks. To make matters worse, older versions of IIS were riddled with vulnerabilities that required one patch after another. The task of making older IIS Web servers adequately secure was, to say the least, grueling.
Microsoft’s response to the many security concerns associated with older releases of IIS was insufficient-a combination of making a number of add-on IIS Web security tools available and a massive PR campaign designed, among other things, to discredit those who were vocal about the many security-related problems found in IIS at that time.
But then Microsoft saw the proverbial light by changing its approach to IIS Web security.
As I have said before, Microsoft’s Trusted Computing Initiative (TCI) focused on security engineering during code development, and among the many beneficiaries of this effort was IIS 6. Microsoft not only massively re-coded IIS, thereby ridding this product of many implementation-related security flaws, but also made many other changes that resulted in huge improvement of the IIS Web server’s out-of-the-box security level.
IIS no longer ran as SYSTEM, nor did it automatically reside on the system drive after installation. Default permissions on files and folders improved considerably. IIS also filtered input much better, to the point that successful buffer overflow and malformed URL attacks in IIS 6 and 7 are now almost unheard of. And concerning the number of vulnerabilities in recent versions of IIS, the then-versus-now comparison is striking, as shown in secunia.com statistics.
I recently taught a course on IIS 6 and 7 Web security. I used to teach courses on IIS 4 and IIS 5 security. What a difference in the content of the two courses there is!
In the older course I presented literally scores of configuration changes and procedures that needed to be carried out to make the IIS Web server at least marginally secure. In the course that I recently taught I spent some time covering baseline security for newer versions of the IIS Web server, but the bulk of my time was spent to raising security well beyond the baseline level.
And concerning vulnerabilities that need to be patched in recent versions of this product, I hardly spent any time at all.
Blame needs to be assigned to the blameworthy, and credit needs to go to those who accomplish great things. Microsoft deserves a great amount of credit concerning what this software giant has done with IIS Web security. The difference between IIS Web security then and now is truly striking.
~ : ~
August 14th, 2008
I’ve been told many times that legal rulings do not necessarily correspond to common sense. A decision by a lower court in California proves just how true this is.
In Bunnell versus the Motion Picture Association of America, Rob Anderson was accused of violating the 1968 Wiretap Act after he intruded into a server owned by Valence Media and configured it to forward email messages to his gmail account. He then collected them and gave them to the Motional Picture Association of America (MPAA), which wanted to obtain evidence concerning the fire sharing services that this company offers. The MPAA paid Anderson $15,000 for his services.
In August 2007 the Central District of California ruled that the accused had not intercepted any email messages, and thus did not violate the 1968 Wiretap Act. Judge Florence-Marie Cooper’s reasoning was based on her somehow being convinced that the messages had been stored momentarily, and thus were not in transmission.
This ruling still amazes me. How can someone claim that messages that were transmitted were really “not in transmission?” Additionally, forwarding messages to a destination other than the one that Valence Media intended certainly sounds like interception to me. Furthermore, the fact that Anderson had to break into the system to configure it to forward messages to a destination of Anderson’s choice by all appearances shows intent to intercept message content.
Lawyers for Valence Media are appealing the Central District of California Court ruling; the case is now in the hands of a California federal appeals court.
It is hard to predict how the forthcoming ruling will go, however, because judges and juries typically understand so little about computer and networking technology. Until they learn more about it, crazy rulings such as Judge Florence-Marie Cooper’s are likely to continue.
A saner ruling by the California federal appeals court appears to be the best thing that can currently happen to correct specious thinking about technology that has governed previous court decisions.
A proliferation of cases of this nature will invariably occur in the future. The ruling by the California federal appeals courts is thus potentially extremely important—it is likely to set a precedent that guides future rulings.
There is yet another critical consideration in this case, however. The MPAA has at times acted rather wantonly in its pursuit of copyright violations, and its conduct in connection with Valence Media is by no means an exception.
MPAA actually paid someone to intrude into a system, despite the fact that gaining unauthorized access to systems is prohibited by multiple federal and state statutes. Apparently, MPAA feels that the end justifies the means, and that it is above the law. It is well past time that the MPAA is held accountable.
~ : ~
August 11th, 2008
I recently read a news item that stated that Ponemon Institute survey results show that nearly 640,000 laptop computers are lost at airports every year. Two thirds of the lost laptops are never returned to their owners. Worse yet, slightly more than half of the lost laptops held confidential data, and only 42 percent of the lost laptops have been backed up.
With respect to lost laptops, I stand among the guilty. About five years ago I had a flight from San Francisco to Chicago. The flight, originally scheduled for early one Sunday afternoon, kept getting delayed to the point that it was finally rescheduled to leave well after dinner time, something that more or less made it a “red eye” flight.
I left the airport to have dinner at a nearby restaurant, and after coming back I had to go through airport security once again. After my hand luggage was x-rayed, I gathered my things together and walked down to the departure gate, boarded the airplane, and got what sleep I could get until the flight finally landed in Chicago sometime around three o’clock the next morning. I then had to get a rental car and drive it more than 100 miles.
Around six o’clock I arrived at the building at which I was supposed to teach a Windows security course, and after getting a tall, strong cup of coffee, I went inside to start setting up for the course. I reached inside my computer bag to pull out my laptop only to find that it was not there. I wondered what could have happened to it; I then remembered that the last time I saw it was at the SFO security line. I thus figured that must have left it there.
Waiting for a few hours because of the time difference between the Midwest and West Coast, I called my wife and asked her to call SFO airport security while I was teaching to see if my computer had been found. Sure enough-my computer was in the hands of the TSA security staff. Fortunately, I had attached a label with my name, address and phone number on it. Interestingly, however, when my wife drove to the airport to pick up my laptop, she was not allowed to take it with her. Instead it had to be mailed to the postal address on the label that I had affixed to the laptop.
The point of this story is that it is downright easy to leave a laptop somewhere.
According to most of the survey statistics I have seen over the years, there are far more lost than stolen computers. Regardless of whether a computer is lost or stolen, however, the threat of personal and financial data and source code falling into the wrong hands has greatly escalated over the years because of laptop disappearance.
Regretfully, my laptop did not at the time have whole disk encryption. At the same time, however, the information on my hard drive was (as far as I can remember) anything but sensitive or proprietary because at the time I was a university employee. I’m not making excuses for myself-all I am saying is that despite my blunders, everything could have been much worse.
As I look back on the ugly incident I caused, a few applications for information security practices stand out in my mind.
First, we as information security professionals do not for the most part conduct enough security awareness and training concerning avoiding lost and stolen laptops. Given the high levels of risk associated with this problem, we really ought to be doing much more in helping users with laptops to become more aware of the problem and what they should be doing about it. Included in training and awareness efforts ought to be information regarding what users should do if they discover that their laptops are missing.
Second, as I have said numerous times in previous blog postings, we need whole disk encryption on laptops (as well as other computers). In my mind, failure to use whole disk encryption on laptops is increasingly equating to a lack of due diligence.
Third, every laptop needs to have a label containing information necessary to return a laptop to its owner. After all, in this world of ours there are many honest people who, if they find a laptop, will attempt to return it to its owner if they have some information concerning how to do so.
One thing though-I do not recommend putting any information that might indicate the identity of the organization to which a lost or stolen laptop belongs. This kind of information might actually lessen the likelihood that the finder of a lost or stolen laptop will return it because the finder might realize that the laptop could be very valuable.
Fourth, be sure that laptops are backed up frequently. And finally, consider using third party tools that can greatly reduce risk (e.g., by rendering the missing machine incapable of remotely connecting to any organization’s network) if laptops are lost or stolen.
~ : ~
August 4th, 2008
Early this year I predicted that a proliferation of rootkits would occur. I was short sided in my prediction in that I missed the bigger issue-the spread of malware itself.
Although rootkits comprise the most serious threat in the malware arena, rootkits are only one of many types of malware. Furthermore, rootkits typically set up back door access and also often incorporate keystroke or tty sniffing ability, functions that are also frequently built into other types of malware.
Several weeks ago I noticed a news item that stated that sites infected with malware (and thus that are capable of spreading malware to computers that connect to them) increased by 300 percent compared to last year. These statistics provide poignant evidence of the accelerating growth of malware.
Interestingly, of the 213,000 sites that were found to be compromised by malware, over half of them were in the Peoples Republic of China. Incredibly, just ten networks around the world contain almost half of all sites that inject malware into computing systems.
Another news item stated that Microsoft has recently asserted that the most recent version of its Malicious Software Removal Tool has already eradicated password-gleaning programs from more than two million Windows systems. One of the most prevalent types of these programs is “Taterf,” which captures passwords entered during Internet gambling sessions. Microsoft also said that its Malicious Software Removal Tool has deleted Taterf from 700,000 PCs.
Malware has constituted a significant threat since the mid-1980s. Until about seven or eight years ago, the problem was at least in theory mostly controllable. Until then, most of the malware threat manifested itself in the form of viruses and worms, but anti-virus software designed to detect and eradicate these types of software has been available for many years. Although not all anti-virus software is equally effective, nor has it ever been, most of it has been sufficiently effective in containing virus and worm-related risks to an acceptable level.
Until the last seven or eight years, the problem has instead been the number of PCs on which anti-virus software has not been installed, or if it has been installed, not regularly updated. With the increased profit-related motivation for writing malware that has occurred in recent years, however, writing malware that is undetectable as possible is now the rule. Writing viruses and worms, which generally replicate themselves profusely, has thus largely become a thing of the past.
Trojan horse programs, which do not self-replicate, are now dominant. Unfortunately, most current anti-virus tools are not all that proficient in detecting and eradicating Trojan programs, and although tripwire tools are ideally suited for this purpose, these tools are generally quite a bit more expensive to purchase than are anti-virus tools, thus limiting the growth of use of tripwire tools.
I predict that for the foreseeable future there will be no end in sight-malware will continue to grow as much as the price of petroleum. A long-term solution for the malware problem is desperately needed, but this answer will not be third-party software of any kind. Instead, Microsoft and other operating system vendors need to build mechanisms that defend against malware infections directly into their products.
Security that is retrofitted is never as suitable as security that is built in right up front; this is as much true with malware prevention as with anything else.
~ : ~
