2011-02-19 21:07:55 by chort
I just took 3 days off from work to attend BSidesSF and the Barracuda Networks Security Wine-out, with an interlude to work the RSA Conference. The following is a rambling summary of the topics and ideas I encountered this week, along with my commentary.
Lessons Learned From Running a Bug Bounty Program - Daniel Peck
- Program running for 90 days, 40 unique bugs reported, 25% of those bugs were in-scope.
- Scope was command injection, privilege escalation, arbitrary commands, RCE, etc.
- Requiring would-be auditors to have access to commercial product was a barrier to entry.
- Don't overestimate pool willing to work for a few hundred to a few thousand USD per bug.
- Make sure to educate internal folks (dev, QA, etc) prior to external launch.
- Looking for more ways to get products into testers' hands to encourage more participation.
- Still glad they launched the program, even though they got many fewer bugs than anticipated.
My take: Bug bounty is only going to attract amateurs. If you are going to offer huge reward, you might as well hire professional pentesters/software auditors. If you go the cheap route, make sure your stuff is really easy to get ahold of or else no one will bother.
Screw the TSA: Iíll Be Where I Want, and Get Credit for It! - Ray Kelly
- Nothing to do with the TSA :(
- Most geolocation services can be trivially spoofed.
- They accept unverified lat/long from client.
- Often possible to get exact lat/long from server, then add a random small offset and send it back.
- Yelp seems to use closed API and a nonce to prevent spoofing.
My take: This stuff is ripe for exploitation. Have a field-day before the low-hanging fruit is harvested.
Cloud Security Realities - David Mortman
- The choice between on-premises and ?aaS should be made based on what you can manage best.
- Don't accept that ?aaS provider is audited, require them to show what was audited.
- Be aware that most providers only allow you filter inbound traffic, not outbound.
- You usually only get one IP, which can make multi-domain SSL a real pain.
- You usually get a flat network, no tiers; also you don't get OS patch management and other OS management functions.
- Some providers allow you to route to/from virtual systems via VPN--run it through your site to apply your network controls.
- Need to think hard about how users will be authenticated in provider's environment, how to do identity management?
- Find out what provider's policy is regarding subpoenas.
- Need to make sure provider will push-back vs. overly-broad subpoenas.
My take: You can't just forklift everything to the cloud and wipe your hands; you need to continue doing same risk analysis and applying appropriate controls. You can't assume provider will do the right thing on security, or on anything for that matter. On the other hand, if a provider can manage complexities of availability and integrity better than you can, it makes a lot of sense to move those functions to the cloud.
When CSOs Attack- HD Moore
- This talk was about building security audits of products into the evaluation cycle prior to buying.
- Legacy systems are rarely decommissioned, but they are a security liability.
- For instance: Scanned Internet w/SNMP and found 2M reponses, 250K reveal build date, 200K running old versions, 60K Cisco routers.
- Everyone wants to enable business quickly, so things get pushed through fast.
- Product acquisition time is your best chance to reduce long-term cost by building security in.
- Prepare you team in advance for the product audit so you can move quickly.
- Your team can learn as you go; supplement with professionals for projects critical to your business.
- Make sure you back the right-to-audit into contract, try to get a commitment on days to fix an issue too.
- Have base OS images as virtual machines for each of your standard platforms, enables quick audit setup.
- Make it clear that audit is required, but you want vendor to pass it.
- Get executive support by showing them a case study of a failure (with associated cost).
- Extract disk image from appliance or virtual appliance. Mount image on different VM (bypasses BIOS & console passwords).
- Search for hard-coded passwords, keys, etc.
- Examine network traffic for weaknesses.
- Search web server for webapp config files. Look for axis2 in Tomcat config files, if found you're screwed.
- Don't believe vendor claims of segregated environments in cloud, make them prove it.
My take: It makes complete sense to actively evaluate the security of products before you purchase them. Don't just take the vendor's word for it, check it out yourself. Weeding out garbage before it gets in (or being aware of limitations that you need to work-around) will save a lot of hassle in the long-run.
Attacking Cyber Security Marketecture - Andrew Hay, Richard Bejtlich, and Travis Reese
- This panel attempted to bring more clarity on the subjects of cyber-espionage and cyber-warefare.
RB: Chinese believe US/China are involved an an information war already and that the US started it. They believe our culture (music, fashion, etc) are an affront to their network sovereignty.
TR: This isn't new; it's been happening for years. It's setting up economic conflict for the next 20 years. We're talking about mostly cyber-espionage, not cyber-attacks.
RB: (explaining the term APT) Imagine fictional biker gangs being investigated: Each has a code name, but govt. needs a way to refer to all of the related gangs with an unclassified term. That's what APT is. It means the actors who are posing a threat. Anyone can open a lemonade stand, but it takes real dedication and skill to stay in business for years--our adversaries are staying in business. Other's have misappropriated the term.
RB: (explaining why US govt. hasn't called-out China) It's like Russian pilots flying in Korean War: We knew they were doing it, they knew we knew, but everyone accepted it as status quo rather than risk escalation. There's no incentive to call them out.
TR: Agrees with audience participant that term "cyber-war" should indicate military component.
TR: (on persistence of actors) When Mandiant go into a network and find 20 backdoors and close them, they come back a few days later to find 50 new backdoors. They're tenacious at staying in networks once they have access.
RB: (explaining how different adversaries operate) China's operators are content with public denials (can't prove it was us, hacking is illegal in China, we get hacked too, etc). Chinese don't mind being caught in systems, they just want to stay in and collect as much as possible. Other adversaries vanish as soon as machine is touched--no trace.
RB: (on Chinese military doctrine) China is trying to "informatize" their military by 2049--this means all units will have information capabilities and upload to central command. This model fits a centralized control doctrine well. US military uses opposite: Units are empowered to make their own decisions and use initiative. As Chinese military gets more instrumentation they will be more vulnerable to US offensive electronic warfare.
TR: When was the last time US military innovated? It doesn't, all the recent innovation came from private industry. That's what Chinese are attacking via cyber-espionage; they're stealing our innovations.
RB: Chinese have a philosophy that all information warfare is integrated: Signals, intelligence, electronics, networks--it's all information.
TR: Our resources have been focused on terrorism recently. We've taken the eye off the ball with nation-state threats.
RB: (how to get through marketing FUD) Ask them for specific sources.
AH: (wasn't in my notes, but I recall him saying) There are lists on the Internet of which industries and technologies are being targeted. Consult those lists to decided how likely your company is to be targeted by persistent actors.
Jack Daniel: Mentions that it's not just high-tech, even his blacksmith friends have stopped posting high-res photos of their work on-line because Chinese were knocking them off.
My take: APT are people or groups of people, not code or techniques. Preventing these attacks is pretty much impossible. More on that in my next post.
Active Exploitation Detection - Marc Eisenbarth
- Inline monitoring is expensive and difficult to scale [not to mention you can't do it for arbitrary networks. chort]
- They wanted to monitor arbitrary systems for exploits and decided to start with web apps.
- Originally wrote a port-scanner in Erlang with DB backend for speed, then realized Unicornscan did what they wanted [I remember it being released at Toorcon, when their demo didn't work. chort]
- Blind Elephant for static web app fingerprinting.
- Hadoop for storage, to overcome limitations with traditional file systems.
- Recommends Cloudera Hadoop distribution to get started playing with it.
- Estimate it takes 1TB to store 100M pages (some capped at 10KB), crawled by 1 CPU (core) w/1GB RAM.
- Update monthly, need 10 machines and 40MB/s bandwidth.
- Noticed that Asian regions lag behind on patches.
- Vuln rates in core CMS components holding steady, but rates in plugins/themes increasing at staggering rate.
- Attackers using R57tool for managing compromised machines.
- For scanning, bought IPs from ISPs that were most tolerant of abuse.
My take: Nice science project, but very light on the details of how they classified changes to pages as malicious. So what are they going to do when they detect a compromised page? It seems there's very little value here.
Threat Modeling: Learn to Optimize Your
Security Budget - Robert Zigweid
- Prefers CIA to STRIDE/DREAD--former seems to cover everything fine.
- Don't try to model every threat--it's a waste of time. Also make sure threat is in-scope for project, not a parent project.
- Bring audio recorder to initial brain-storm session of how to model the project.
- Microsoft Threat Analysis and Modeling: Free, difficult to add to inventory, can be difficult to manage.
- Microsoft SDL Threat Modeling Tool: Actively developed, extensible, tool itself is free, but requires Visio.
- Best tool in his opinion is whiteboard + camera. Whiteboard allows drawing multiple relationships.
- It's not a one-person job, need to involve team.
- Don't ever delete a threat; once a threat, always a threat. Can accept that a certain threat isn't addressed in later models.
- Properly identify assets (see prev. on scoping).
- Use a wiki to track the model, can see revision history.
- Agile development makes threat modeling harder because it encourages a lot of face-to-face communication that doesn't get recorded. It also encourages requirement changes late in cycle. Can be a benefit because of greater input.
- Present threat modeling as "alternative method of risk analysis", this can have greater acceptance.
My take: I don't know enough about threat modeling yet to really have insight, but I was relieved to learn that you're not supposed to spend painful amounts of time to model every single possible threat. Be thorough, but don't stay bogged down forever.
Log Analysis and Visualization in the Cloud - Raffael Marty
- IaaS you have nearly the same visibility as in your own datacenter.
- PaaS the providers are just starting to make some logs available.
- SaaS you're nearly blind.
- Need to do a better job instrumenting applications. It takes a lot of work to design useful logging.
- Big data is a huge shift in how information is processed. Log writing/consumption going to queue-based systems, writers put data in a queue and readers dequeue it as they have availability.
- Think about how people use data: Explore -> Answer -> New question -> Increase efficiency -> Communicate what you've found -> [illegible]
- Tools: Highchart (JS & Json), Google Viz API, ProtoViz, TheJIT, Processing, Multitail.
- Model for effective visualization: Overview -> Zoom -> Detail on demand.
- NetFlow visualization - Chris Horsley.
My take: Great information dump. Lots of leads to follow-up on. I believe visualization is a growth area for InfoSec as we struggle to make more intelligent decisions with the mountains of data we have available.
Dr. Stuxlove or: How I Learned to Stop Worrying and Love the Worm - Davi Ottenheimer
- My pen ran out of ink, so just read his follow-up blog post.
My take: He had some interest views on applying history as a lens to current situations, and not being so accepting of loosely-connected circumstantial evidence. It's really a shame my notes aren't useable for this talk.
I had a fantastic time at BSidesSF and I can't wait to attend another small conference like this (same goes for Baythreat 2010). Stay tuned for my next post where I summarize my thoughts and conclusions from the week.
- Comments (0)