Rick’s Playground

Finally I decided to give it a push and placed this part-time toy project to a bigger stage. I have registered this project with OWASP and I am pleasantly surprised by the level of support and encouragement from the OWASP folks. So here it goes - OWASP Security Assurance Testing of Virtual Worlds Project.

This project is aiming at creating a systematic and structural security framework for Virtual Worlds users (the gamers), third-party testers and developers. We already have very good security framework for generic application security (such as the OWASP Testing Guide), it’s time to zoom to specific category of application and in this case - Virtual Worlds created by in various MMORPG (Massively Multi-player Online Role Playing Games). If you ask me why I choose this specific type of application, I will say that I have this vision that one day or even in near future, virtual worlds will be an extension of real world. They will just like any independent nations with their own economy, laws and regulations, political systems and social structures. A very simple example is that we may see virtual currency come into the real world FX trading - we may see currency pair like USDLID (LID -> Linden $ currency in Second World) or USDISK (ISK -> currency in Eve-online). This is definitely very exciting stuff and worth the efforts from all of us.

Lastly quote a paragraph from Steve Jobs’ convocation speech (Stanford) -

“You can’t connect the dots looking forward; you can only connect them lookign backwards. So you have to trust that the dots will somehow connect  in your future. You have to trust in something your gut, destiny,life,karma, whatever because believing that the dots will connect down the road will give you the confidence to follow your heart, even when it leads you off the wellworn path, and that will make all the difference.”

Some advice from Heartland Payment CTO after the largest credit card data breach in history - Link from Bank Systems and Technology - http://www.banktech.com/blog/archives/2009/10/heartland_calls.html?cid=nl_bnk_daily

Heartland Calls for End-to-End Encryption, Cooperation to Prevent Data Breaches

In an era when newsletter from vendors are almost the equivalent of spam emails, I am pleasently surprised by the content of Microsoft Security Newsletter - at least for this issue volume 6, issue 10.

First of all it is of the right length, no chunky huge paragraph and with proper links - it is an absolute turn-off when you see something interesting and yet no links or even worse - the content is for restricted groups.  Next, related articles give the interested readers full picture of tools and their relevant usage - For example, BinScope is introduced in this newsletter together with a how-to article. (BinScope Binary Analyzer and Security Tip of the Month: Using BinScope Binary Analyzer to Improve Code Security ). In the Business Security session, Andreas Wuchner speaks out the exact thought in my mind of “What I Look for When Hiring IT Security Staff “. It is short, precise and very accurate summary of the reality in hiring of IT security staff.

This is the 2nd time in the week I am impressed by Microsoft (the first one is the Microsoft Security Development Lifecycle blog). Probably it’s time to get a copy of Windows 7 ..LOL

I can’t believe this is the first entry in my blog for the past 6 month and we are more than half way through year 2009. It has been … ‘busy’… (err.. i tend to not use this word because everyone is busy and it’s not really justifiable due to the very diverse scale of measurement ..) Anyway I have been travelling around the Asia Pacific region, meeting people from very different cultural background, professions, ways of thinking and life styles. It is fun although there is frastration, boredon and stress. That’s part of parcel for life anyway.

The only reason which triggers me to sit down and write down this post is the inspiration after reading a couple of articles in one of the backlog ISACA Journals. In the “HelpSource Q&A” session, there is a question on how to fight phishing attacks for online banking applications.  Although I have been dealing with process-level controls for the past year, the words “attacks”, “applications”, “phishing” just trigger the technical geeky style of problem-solving thinking in me and ideas of strong 2-factor authentication, SPF (Sender Policy Framework), gateway spam filtering etc immediately come into the picture.

However the very first key control suggested is to have a properly defined e-mail communication policy for both sending and receiving emails to and from customers. Subsequently the advice mentioned a number of very good business process improvement which take fighting spam/phishing emails into consideration. A few small changes to a business process will easily mitigate bunch of relevant security issues which technology alone finds them difficult to tackle. It reminds me of those days when great amount of efforts and resources were spent on network level controls in order to fight application level security issues.  Are we in the same situation nowadays while we are spending too much efforts in creating application level or even information security process level controls in order to tackle business process level security issues?

I believe it’s time to introduce business process security into the information security model and make it a layer-8 practice. It just like buiding security into SDLC and we shall build security into a business process from the very begining. The thought of having a whole new paradigm in the information security model is really exciting. I am sure this will bring drastic changes to the infosec industry - probably soon we will see business process level security penetration testing, business process hardenning etc .

I have to admit that the recent malwares like Storm, Conficker have really impressed me - the various top-notch feature implementations and the strong skills and knowledges demonstrated. If you still think the malware developers are the bunch only knows to package published vulnerability POCs and inserts the payloads into the out-dated templates, you probably are still living in the pre-2004 era.  yeah, that’s not very long ago, but long enough for the information security industry to get rid of a bunch of old concepts and ideas.. Here is the original description from SRI about the Conficker worm - Conficker Write-up .

One of the quoted paragraph from this write-up realy sends a chill down the spine for most infosec folks.

“Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker.  Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products.  They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list.  They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker.   They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world.  Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.”

While we - the infosec folks are happily talking about nice-looking process, management, frameworks etc.. indulging ourselves in various fanciful security solutions which are full of marketing hoohaaas. We seems to forget about the fundermentals. Probably we need some form of wake-up call - before it is too late.

What do you think of when you see the pinky pig ? And the balance
is tilt to the pinky pig !!

http://www.iss.net/

Oink..oink...

Nokia ‘curse of silence’ sms details are released by Tobias Engel.  It is a simple sms like ‘123456789@123456789.1234567890123′ sent as email format from most mobiles. Once you recieve this sms in your vulnerable nokia smart phone (most symbian S60s), it’s a gone case. Factory reset is required.

Exploits details:

http://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt

An article from CSO online and I can’t help but blatantly post it here to share with all my friends in the Information Security Industry.  Information security is a very young industry and we need people to have faith in what we are doing and the value we create. It’s sad that we see a lot of people leaving during the good years to pursue greater monetary gains and also people who are forced to go when the economic crisis strikes. I heard one of the veteran mentioned that “All of us want to quit the InfoSec industry but realized that it has sucked us in !” Hope this quoted article can help us survive in the current economic recession and keep the passion and faith in the professional to which we have dedicated our career.

========================================================

November 04, 2008

When meeting someone new and describing my background in this industry I often say “I’ve seen the best of times, I’ve seen the worst of times and most of what falls in between.” I’ve been recruiting in Information Security long enough to have experienced the heady times of the dot.com boom and the dark days that followed after it all came crashing down. I’ve also been here as the industry has grown and evolved—sometimes as a result of and sometimes in spite of significant difficulties. This evolution leads to adaptation, and it’s the ability of people to adapt and rise above one challenge after another that makes our industry so dynamic.

Given what I do, communicating with and connecting people, I’ve offered both a shoulder to cry on and kick in the pants to those that need it—especially in uncertain times like the ones we’re facing. I don’t enjoy either situation. For the purpose of this column I wanted to offer some sound advice to those Information Security professionals who are concerned about the future of their jobs. Think of it as a general checklist of things that you probably should be doing all the time but need to devote some time and consideration to right now, especially if your future is uncertain.

First, know your differentiators. Understand what sets you apart from your peers and how you can use these qualities to best advantage. Similarly, think about your personal “brand”. If you had to describe to another person who you are, what you do and most importantly what problems you can solve, how would you do it? Develop a personal branding statement that will allow you to do this whether it’s in the elevator with your boss’s boss or on a job interview.

For example, I was speaking with a candidate who had very strong application security skills. She also had a great sense of humor and was a natural communicator. She was frustrated because she was falling behind in her work due to the number of times she was personally requested to sit in on IT project meetings. I laughed when I heard this because she didn’t realize what she was saying. The result was one more critical differentiator that strengthened her personal brand. So now, when somebody asks her what makes her stand out, she’ll tell them “Although my primary focus is application security risk assessment, I’m the person my company relies on to bridge the gap between business and security requirements and who gets everyone work and play well together.”

Second, find ways to leverage your differentiating qualities to add greater value to your current organization. By demonstrating the ability to provide solutions and solve problems important to your company you may just save your job, or at least postpone your departure. So find out what the hot buttons are—not just within security but with other areas of IT and within the business you support. There may be hidden opportunities where your perspective and experience could make a difference.

Third, work on strengthening your relationships with your management as well as other stakeholders or clients you support. Communication is key to accomplishing this. Developing an active and open rapport with others will help you better understand the big picture of what’s going on around you. It will also help you keep your cool and make informed decisions about your options while rumors at the water cooler are flying.

And finally, be ready to embrace change beyond your control. From a career perspective this means having your “personal marketing documents”, AKA resumes, references and professional certifications up to date. It also means communicating your interests and intentions to everyone you know who might be able to help you. This includes re-connecting with your recruiter, any mentors, past co-workers or clients with whom you’ve had positive experiences with in the past. It also means taking the time to catch up on the industry at large through reading trade journals, attending networking events and increasing your participation with industry organizations. Get the word out to your associations, organizations, friends and family that you are on the job market.

Lately, not a day goes by that someone doesn’t ask me what the future holds for our industry in these tough economic times. The truth is, nobody can tell. It’s a fact that in the short term, supply will likely outstrip demand especially for the most senior roles in our industry. The best and only way to adapt to change of this nature is to be prepared—mentally, materially and socially. We should know that we’re in for a marathon and not a sprint. Yet despite the challenges ahead I’m confident that our industry will continue to grow and thrive. We just need to put less stock in the markets and more stock in ourselves. ##

Jeff Combs is Practice Lead, Security and IT Risk Recruiting at Alta Associates.

========================================================

Last Thursday I  gave a presentation on Dan Kaminsky’s recent DNS finding to the local security meetup group folks. It has been a while since the previous time I laid my hands on network packets analysis, tweaking a bind9 server and even backtrack 3 looks fresh and interesting to me again.

Initially I thought it would be a huge task to set up a full POC environment of the DNS attack. I was planning and thinking about all the details such as the race conditions, full-function attacker controlled DNS server, segregation of testing environment. However the more I plann, the messier it becomes and until a point which I told myself - forget about it, this is not a huge corporate project which you need all the planning, risk analysis etc etc .  Let’s just be a normal script kiddy - get an available exploits, understand it and set up a minimum environment to try it, if it works, that’s it.   If it doesn’t work, then we analyze what the problem is. This turned out to be a fanatasic plan and again all my old friends - VMware, Ubuntun, Metasploit, Wireshark and Backtrack came into rescue.  Here is the simple but fully workable setup (all in one Lenonvo T61 laptop) :

Vulnerable DNS server

• Ubuntu 8.04 LTS Desktop Edition in VMware (server 1.06)
• IP address: 192.168.1.13
• with Bind9 packages installed
• A little tweaking of the named options (fixed query source port and allow recursion to the attacker’s subnet, see attached named option files)

Attacker machine

• Backtrack 3 Final in VMware (This is availabe directly from the home page, you don’t need to install into harddisk anymore)
• IP address: 192.168.1.24
• Update your Metasploit to make sure the auxiliary/spoof/DNS/bailiwicked_host” is available

Client PC

• Windows XP (The host machine which has the vmware-server installed)
• IP address: 192.168.1.4
• It just serves as a poor third-party DNS client who queries the vulnerable DNS server for IP info

The successful rate for the POC is quite high,  more than 70% of the spoof attacks (using the Metaslpoit module)  were able to successfully inject the records to the vulnerable DNS server within 20 minutes.  I have attached a copy of Metasploit screen output and a corresponding wireshark traffic dump for one of the POC attacks - make the vulnerable DNS server point www.jpmorgan.com point to ip address 192.168.1.226.

The POC for this attack is pretty safe because the traffic is only routed within the LAN except the initial target DNS nameservers list queries. Anyway the initial queries are harmless at all because they are just normal DNS query to a third party DNS server.   Lastly the Metasploit’s check for recusive DNS server is a bit buggy.  It throws out false-negative and always consider the target vulnerable DNS “not vulnerable”.  I am yet to find out the reason.

Bind9 Named Config Options:  namedconf.options

Metasploit Console Output: msf_output_jpmorgan

Meetup Slides: understand-kaminskys-dns-attacks-oct-2008.ppt

I just read an article “Confessions of a Risk Manager” from economist.com. It is recommended by a featured blog post “Risk Managers Are Just Like Security People” on securityfocus.com.  The article truely and vividly described the kind of difficulties and dilemmas encountered by a Risk Manager, which I can very much relate them the information security folks in the finanical sectors. The situations are amazingly similar between information security folks and the risk managers.

” In their (By Rick: the business people mainly front line traders, bankers, sales) eyes, we were not earning money for the bank. Worse, we had the power to say no and therefore prevent business from being done. Traders saw us as obstructive and a hindrance to their ability to earn higher bonuses. They did not take kindly to this. Sometimes the relationship between the risk department and the business lines ended in arguments. . . .

Tactfully explaining why we said no was not our forte. Traders were often exasperated as much by how they were told as by what they were told.At the root of it all, however, was—and still is—a deeply ingrained flaw in the decision-making process. In contrast to the law, where two sides make an equal-and-opposite argument that is fairly judged, in banks there is always a bias towards one side of the argument. The business line was more focused on getting a transaction approved than on identifying the risks in what it was proposing. The risk factors were a small part of the presentation and always “mitigated”. This made it hard to discourage transactions. If a risk manager said no, he was immediately on a collision course with the business line. The risk thinking therefore leaned towards giving the benefit of the doubt to the risk-takers.

Collective common sense suffered as a result. Often in meetings, our gut reactions as risk managers were negative. But it was difficult to come up with hard-and-fast arguments for why you should decline a transaction, especially when you were sitting opposite a team that had worked for weeks on a proposal, which you had received an hour before the meeting started. In the end, with pressure for earnings and a calm market environment, we reluctantly agreed to marginal transactions.”

Probably I shall replace all the financial terms with information security terms in this articule and come out a new version titled “Confessions of a Information Security Manager”.