My roots are in application development and it is still the number one thing I enjoy doing in this field more than anything else – including computer security. When I can develop network security apps, it’s icing on the cake. I can write apps eight hours a day, seven days a week at work, and then go home and write apps and develop Web sites for fun. It’s just something that’s in my blood.

I’ve decided to take a break from all of this security stuff and devote my spare time to developing free and pay applications for Android – at least for the next few months. As a result, I’ll be spending less time here, and surfing other blogs and Websites. Developing quality software requires my undivided attention and I find all of this too distracting to be able to focus my thoughts and efforts.  I’ll still be moderating comments and checking email.

I would like to thank all of those who have supported my blog over the past few months, especially Bill Mullins, Dan Dieterle and Ramblinrick – you guys are the best!

If this is your first time here, take a look around. You might find some useful information to help keep your computers secure – and if you really want to learn something about computer security, read my book!

Best Regards,

Mister Reiner

If you’re interested in some of the vulnerabilities that are fixed in the recent Firefox update to version 3.6.9, head on over the Firefox Security Advisories page.  Of critical note are the 10 critical vulnerabilities.

Critical: Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Note: After being advised that my Flash plug-in was out of date, Flash didn’t update properly when I went to the Adobe site.  I jumped over to IE, and downloaded and installed in the plug-in for Firefox manually.  Make sure to read the Adobe install message before installing, as Adobe always wants to trick you into installing some type of additional product that you don’t want, by automatically selecting the check box option for installing one of its partner’s products. Keep in mind that IE and Firefox updates are not packaged together and need to be updated separately.

With the amount of information about hacking and social engineering available on the Web, it’s quite easy for an unscrupulous competitor or one of its employees to compromise one or more of your company’s computer systems for the sole purpose of gather information to under bid your company on contracts. This can be accomplished by hacking into your Web servers, sending employees email that will install Trojans, directing employees to Websites that will install Trojans or obtaining physical access to your computer systems or network. With access to databases, emails, spreadsheets, documents and even contents stored on copier hard drives, it’s easy to understand how a competitor might be able to take advantage of the situation and put you out of business.

But concerns about being hacked don’t just end at your front door. If your top sales people are taking work home, it’s possible that their home computers are hacked, that someone is snooping around on their laptop at their favorite wireless enabled coffee shop, or someone has obtained stolen credentials and is accessing a shared resource such as DropBox or other online document collaboration service. If your company doesn’t have a policy of changing passwords when a person leaves the company, it’s possible that a former employee who now works for a competitor still has access back into your systems, either with his own credentials or someone else’s stolen credentials.

The worst case scenario to consider, is that one of your own employees is feeding information to a competitor, either for financial gain, as a favor in return for doing something for someone the employee knows – or even blackmail. While it may turn your stomach to think that one of your own is betraying you, circumstances can place someone in a situations that puts their own self-interests ahead of the company’s.

What to do…

The first thing you need to do is not panic. This is just a possibility you need to explore and until proven otherwise, is pure speculation on both my part and yours. There may be a perfectly legitimate reason why a competitor is winning bids and it’s up to you to figure out why.

Second, you can’t trust anyone inside the company – at least not yet. As soon as word gets out that you suspect company information is going to a competitor, any insider intentionally stealing information is going to stop their activities and even go as far as trying to cover their tracks. This can include personnel responsible for administering your computer systems or computer security.

Next, call your local FBI office or equivalent agency in your own country and discuss your situation.  They can best advise you on what to do next. It’s possible that the FBI already has its eye on one of your competitors based on other inquires.

And lastly, take a deep breath and try to relax.  If there has been any foul play, what’s done is already done. You can’t reverse time and undo the damage without help from those with the power to help you. Take things one step at a time, think before you act and realize that there is a light at the end of the tunnel.

As every computer security professional will tell you, user awareness is the key.  Make a video, enter the contest and get a chance to win some cool prizes:

• Two (2) tickets to see Snoop Dogg in concert
• Opportunity to meet with Snoop’s management or agent
• A $1,000 travel stipend, awarded in the form of airline vouchers
• Hotel accommodations for two days and one night
• A super cool Toshiba laptop

Visit the site:  http://www.hackiswack.com/

Simply put, compromise vectors are the various avenues of attack that can be used to compromise systems, information and credentials. When a vulnerability is announced, the most important thing for people to ask themselves (or a computer security professional) is how the exploit associated with the vulnerability applies to the hardware, operating systems and applications they use or manage, or to other system to which they connect. Some compromise vectors are obvious, others are not so obvious, but know that there are no “secret” compromise vectors – just variations and combinations of known techniques that tend to surprise those who don’t think like the most devious of hackers. In some cases, a vulnerability may be of no significance because it’s technically impossible to exploit the vulnerability given the compromise vector requirements.

Below are just some of the compromise vectors that computer security professionals think about on a daily basis.

Email. The most effective way to deliver malicious code to a user’s computing device is via email. Opening an email or attachment may result in a compromise through scripting, execution of an attachment or  buffer overflow. Several potential compromise targets exist along the route from the email’s point of origin to the user’s inbox via a buffer overflow (if a buffer overflow vulnerability exists), which includes the receiving email gateway, email server, email client, and email anti-malware scanning software residing on these systems.

Websites. If malicious code can’t be delivered via email, why not post malicious code on Websites and wait for users to come to it? Sending users links via email, publishing popular content (i.e. photos, movies, music, ebooks, software, cooking recipes) that show up in search engine results, and infecting legitimate Websites, are ways to connect users to malicious code in waiting. When users get to the site, hackers take advantage of unpatched vulnerabilities, out of date anti-virus software, undocumented exploits with no known signature, and social engineering techniques that entice users to open documents/files and launch executables containing malicious code.

Removable media. USB devices, DVDs and CDs delivered via postal mail, given out at events or purposefully dropped in parking lots and by building doors are effective means to deliver malware directly to a user’s computer. Content on removable media can take may forms, including documents, repackaged legitimate software and multi-media. Well-packaged malicious code can be tested to avoid detection and take advantage of undocumented vulnerabilities. Sleepers and delayed post-installation malware downloads from the Internet can bypass automated and manual security screening.

Direct connectivity to a service. All network-based applications listen on specific network protocols and ports. Network-based applications include Websites, remote access, file sharing, email, authentication services and virtual private networking. Some services are only available on a local area network, because a network perimeter firewall blocks initiating access from the outside world. Other services are intentionally open to those outside of the network, such as Web and email. Many people believe that perimeter firewalls protect their internal devices from direct connectivity vulnerabilities, but this is only true if there are no compromised computers on the internal network. Once a hacker successfully connects to a service, he can then try to exploit a vulnerability, unsecured service, misconfiguration service, or a service that has yet to be configured (defaults settings).

Physical access. Unsecured equipment in an open office area, unlocked server room and even  a locked server room, provide hackers, intruders and trusted insiders with an opportunity to bypass operating system security to implant malicious code, steal credentials, steal hard drives, steal information by replicating hard drives, and altering security configurations (device and physical). Also of concern are physical key loggers, attachment of rogue computer equipment (i.e. notebooks, wireless access points, packet capture systems) and installation of rogue cabling.

After malicious code is implanted using any of the compromise vectors described above, additional compromise vectors may present themselves to a hacker, intruder or trusted insider.

Escalation of privileges. Even if someone was only able to obtain user level permissions by successfully exploiting a vulnerability, implanting malicious code, or successfully logging in, there are compromise vectors that may be accessible once on a system, which may be exploitable in order to obtain system administrator access. To dismiss the seriousness of a vulnerability just because it only affords user level access is extremely short-sighted.

Trojans. Primary concerns include: man-in-the-middle attacks, key logging, using user or stolen admin credentials to access information, using stolen admin credentials to access other computers on the same network, uploading documents containing malicious code onto shared resources, and modification of security settings on other systems and devices to allow for additional unauthorized access from inside or outside the network. Of particular concern is a Trojan residing on a system or network administrator’s computer, which will afford access to devices that restrict access to specific IP addresses.

Accessing B2B resources. Malicious code placed on business-to-business servers can potentially be used to capture information being sent to and from the distant end. Depending on the application and protocols being used, it may be possible to compromise the computer on the distant end.

If all of this seems more complicated than, “Keep your software and anti-virus signatures up-to-date” -  it is. Extremely skilled computer security professionals spend a lot of time reading computer incident and forensics reports to keep on top of current compromise vector trends and those associated with old, new and updated software. Now factor in that most organizations don’t have the hardware or software to monitor and detect many of the activities associated with these compromise vectors. Then factor in that for some of these compromise vectors (I haven’t listed them all), monitoring and detection capabilities don’t even exist.

Now that you know all of this, there are five questions you need to ask yourself or your computer security professional for each device, operating system and application:

1. What are ALL the compromise vectors?
2. What security measures are in place to deny access to these compromise vectors?
3. What is the likelihood that someone can access these compromise vectors remotely (inside and outside the network), once on a system (i.e. via compromise or using stolen credentials) or by obtaining physical access to a system?
4. What signature-based and activity-based detection capabilities are in place to detect unauthorized activity?
5. What monitoring capabilities are in place to identify unauthorized activity that is not signature-based or activity-based? In other words, if a hacker’s code and activities have been tested to avoid detection by anti-malware software, host-based intrusion detection systems and network-based intrusion detection systems, how will someone know that a system, application or information is compromised?

Once all the compromise vectors of a particular device, operating system or application are considered and understood, specific security measures can be put in place to significantly reduce the risk of compromise, and capabilities to increase the chances of detecting compromise.

If all of this seems a bit too overwhelming to deal with yourself, it’s best to seek the advice of a experienced computer security professional.

Learn more

Is all of this new to you? Would you like to learn more about how hackers are able to exploit compromise vectors and avoid detection? Read my book!

Anthony M. Freed

We are extremely fortunate Mr. Clinton has set aside some time from his very busy schedule to offer some insight into the critical role ISA plays in shaping the future of cybersecurity.

via Infosec Island

There are a lot of really smart people in Internet land and I think it’s important to understand everyone’s perspective on computer security to see the big picture. Each of us has something to contribute to the discussion. No single person can have enough knowledge to solve the world’s computer security crisis by himself, but by sharing ideas and working together, we can collectively make a difference to make computing secure.

Before we dive into the details, let me make a brief comment here about “arbitrary code execution.” Arbitrary code execution is a euphemism for a successful buffer overflow. If you’re interested in learning more about buffer overflows, there is a decent write-up on Wikipedia. The outcome of a successful buffer overflow, is that a hacker gains control of the execution thread and can perform any number of actions, which may or may not include performing actions as the system’s administrator. With administrator privileges, a hacker may be able to install a Trojan. Even without administrator privileges, arbitrary code still executes with the user’s privileges, which provides more than enough opportunity to ruin someone’s day.

Of the seven vulnerable products/components, five are at risk for arbitrary code execution, some of which can be triggered just by viewing a document or image file:

ATS [Apple Type Service for fonts] : Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.

claimAV [anti-virus program]: Multiple vulnerabilities exist in ClamAV, the most serious of which may lead to arbitrary code execution.

CoreGraphics [OS X graphics component ]: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. Note here that it’s not only Adobe software that is vulnerable to PDF exploitation!

PHP [scripting language]: Loading a maliciously crafted PNG image may lead to an unexpected application termination or arbitrary code execution. Note that many images on the Web are PNG files.

PHP [scripting language]: Multiple vulnerabilities in PHP 5.3.1. PHP is updated to version 5.3.2 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.

Samba [file and print services ]: An unauthenticated remote attacker may cause a denial of service or arbitrary code execution.

If you run through the history of Windows vulnerabilities, you’ ll come across the same types of vulnerabilities.  Just think, all of these OS X vulnerabilities have been just sitting around waiting to be discovered and documented by the good guys. I wonder how long the bad guys have known about them?  How many more vulnerabilities do you think are still hidden in the code?

Here are the other two products/components that are included in the update:

CFNetwork [framework for network protocols]:  An attacker with a privileged network position may intercept user credentials or other sensitive information.

libsecurity [certificate host name resolution]: An attacker in a privileged network position who can obtain a domain name that differs only in the last characters from the name of a legitimate domain may impersonate hosts in that domain.

Just so that you don’t get the wrong idea, I’m not happy about these vulnerabilities, but they do prove that Apple’s OS X operating systems are not any more secure than Windows operating systems. Quantity is not a valid comparative statistic- it’s the type of vulnerabilities that people need to be concerned about. If I were a Mac user, I would be very concerned about exposure to some of these vulnerabilities.

Securing systems. A person is responsible for implementing security check lists, applying security patches, managing permissions to specific resources and checking log files. System and network administrators typically do this as part of their regular duties for the equipment they manage.

Architecting security solutions. These people design and engineer computer security solutions based on an organization’s requirements. The scope of work encompasses all aspects of IT and includes hardware, applications, data, mobile devices, remote access and B2B data transfers.

Performing risk assessments. There are two different types of risk assessments: technical and non-technical. Technical assessments involve reviewing architectures, doing vulnerability scans using automated tools and determining the likelihood that vulnerable systems will be compromised because of certain vulnerabilities. Non-technical assessments including looking at policy, processes and controls; evaluating the value and importance of information and how likely it is to be stolen by anyone (including insiders); evaluating non-technical threats such as natural and man-made disasters; and impacts resulting from compromise.

Managing security products. Individuals who do this job are typically responsible for managing enterprise versions of anti-virus systems, host-based intrusion detection systems, network-based intrusion detection systems, event correlation systems, Web content filtering systems, proxies and firewalls.

Testing security measures. This job is often referred to as penetration testing. A penetration tester tries to break into systems and applications using the same techniques used by hackers. This includes both technical and non-technical techniques (i.e. social engineering and breaching physical security).

Monitoring security systems. People doing this job analyze logs and alerts generated by various hardware, software and security products. Their job is to ‘triage’ the log files looking for evidence of network or host based intrusions. Once they find something of interest, they had it off to the incident response team.

Incident response. When a system is suspected of being hacked, an incident responder’s job is to collect information to determine if a system or application may indeed be compromised. This involves interviewing system administrators and users, collecting evidence, making a preliminary determination as to how a system might have been compromised and what information may have been compromised. Information is then turned over to a forensic analyst, who may be also be the first responder.

Forensic Analysis. The role of a forensic analyst is to determine exactly how a system was hacked, what malicious code was used and what information was compromised. Forensics encompasses both system and network forensics, and anything else that may be relevant to a situation. Forensics also involves looking for evidence of unauthorized activity or illicit content.  A forensic analyst documents evidence for use in a court of law.

Management positions. Someone needs to oversee day-to-day security operations, security operations centers and security personnel. Managers can lead small teams, departments, facilities or be head of computer security for an entire organization.

No matter what career you choose in computer security, you’re going to need industry certifications. A list of certifying organizations and the corresponding certifications they offer can be found here: http://en.wikipedia.org/wiki/Template:Computer_Security_Certifications

A college degree can also be very helpful in landing a job in computer security, especially if you have a degree in Computer Science, which is very different from a degree in Information Systems/Technology.

One thing to keep in mind, is that not all computer security jobs pay well. Some pay dirt while others pay a small fortune.  Before you head down any specific path, make sure you find out what organizations are paying for specific skill sets and certifications.

Good luck!

As you might have already guessed, I’m in the minority that says that it is possible.  I don’t hold it against you that you don’t believe it’s possible.  Being quite honest, I expect you to not believe it’s possible. Why? Because given current computer technology and security paradigms, it’s impossible. But I’m not talking about making current computing technology secure, I’m talking about starting from scratch with a clean sheet of paper.  If you’re interested in how it might be possible to engineer a computer that is 100% secure, please read on.

Before we continue, there are two things you should know:

1. I don’t have all the answers. There are people who are much smarter than I am at all of this and I bet they can come up with an even better solution – and ultimately, that’s what I’m hoping others will do. But before that can happen, more people need to believe that a computer can be 100% secure.

2. Re-thinking  computer security isn’t easy. All this makes intuitive sense to me, but it may not make any sense to you.  If you have questions, ask. Given #1, I’m open to any and all comments, suggestions and criticisms.

Let’s continue.

There are four things that need to be secure  in order for a computer to be 100% secure – the hardware, the operating system, the application software and the user’s data. By secure, I mean that someone cannot perform actions that will result in unauthorized control of a device, unauthorized control or modification of the executing code, or unauthorized access to data or configuration information.

For this post, I’m going to start by focusing on securing the operating system.  The primary concern I want to focus on is operating system compromise. By compromise, I mean the injection of malicious code into the file system – either a root kit, key logger, TCP/IP stack hijacker, malicious copycat daemon/service, etc.  There are no third party operating system add-ons  in this scenario, just the operating system itself. And just so that you know, buffer overflows are technically impossible in my re-engineered new world order. We’ll have to discuss preventing buffer overflows another time.

So if you had to re-engineer the hardware to make the operating system impervious to compromise, how would you do it? Get out a blank sheet of paper and start jotting down and sketching out your ideas. Don’t continue until you’ve given this some thought.

.

** Mister Reiner hums the Jeopardy theme song while you’re thinking. **

.

Ready? This is my idea:

Hardware and Operating System

1. Operating System Management Module (OSMM). This sealed module plugs directly into the hard drive. The OSMM is responsible for managing and updating the operating system and has a user interface (admin and user).  It has its own internal operating system and network card. When the computer is powered on, it boots into the OSMM after the initial POST. The OSMM does complete manifest and MD5 checks on all operating system files. The OSMM establishes it’s own connection to get updates from a local or remote update server. No inbound connections can be established to the network card.

2. Smart operating system (OS) hard drive. For the purposes of this discussion, there are four unique features of this drive:

1. It “binds” (keys) itself to the OSMM and once bound, cannot be accessed by any other OSMM without reformatting the hard drive.
2. Only the OSMM can write to the hard drive through a dedicated interface. The rest of the computer only has read access to the smart OS hard drive through a different interface.
3. Prior to starting the operating system, the OSMM locks out the write capability of the smart OS hard drive.
4. The drive only contains static operating system files. All dynamic files and settings files are stored on a different drive.

3. Operating system that is OSMM aware. The operating system will only load operating system executables from the smart OS hard drive.  For an OS using something like the Windows registry, only static OS specific registry information is stored on the smart OS hard drive. Other non-OS registry entries or dynamic OS entries are stored on a different drive.

Simple Concept of Operation (CONOPS)

The computer boots into the OSMM and the OSMM verifies the integrity of the operating system files on the smart OS hard drive. The OSMM establishes a connection to an update server to determine if any updates are required. If any updates are required, the OSMM updates and re-verifies the integrity of the files.  After the OSMM is done with it’s tasks, it locks out the smart OS hard drive and launches the operating system loader. If anything is amiss, the OSMM will generate an error message, stop and provide a menu of available actions.

Local and remote server updates are hosted on servers with a special OSMM update card. The update card will only obtain operating system updates from the operating system vendor’s designated servers or another server running a OSMB update card specified by the system’s administrator.  Distributed update architectures are allowed. If there is no local or remote update server specified or accessible, the OSMM defaults to the operating system vendor’s designated servers.

Potential Operating System Compromise Vectors

1. From what I described above, it’s impossible for any malicious code that makes it’s way into the operating system environment to write to the smart OS hard drive.

2. OSMM update man-in-the-middle attack. I’m not up on on the latest encryption technologies (sorry, been slacking), but I’m sure someone smarter than me knows how to best address this issue. Some type of chain of custody and/or trusted source verification process needs to be established to prevent man-in-the-middle attacks.

3. OSMM update server spoofing. This needs more thought. See #2.

4. OSMM admin interface access. Two/three factor authentication? A physical electronic key, that is unique to each administrator, can perhaps be bound to the OSMM.  This needs more thought.

The overall architecture and concept described above can be applied to applications as well, but I would expect a shared module and hard drive for applications vice a dedicated module and drive for each application. Hard drive partitioning seems to make the most sense. There will have to be a third drive for settings, and other OS and application specific working files – and a fourth drive for user data. I realize that there are a myriad of issues when it comes  to downloading, installing and managing applications, but they can be overcome with the right approach.

For all you LiveCD fans, what I’m essentially describing is a LiveCD that can update itself. It’s like checking, updating and burning a new ISO image from a trusted source every time the computer is started, but doing it with a hard drive instead of a CD or USB drive.

Given the architecture I’ve described thus far, it becomes impossible for operating system and application executables, and the folders in which they reside, to become “infected” will malware while someone is using a computer. Even if a hacker could figure out how to write executables to a writable hard drive, they’ll never run because it’s impossible to write to the drives from which executables are allowed to load and execute. For all intensive purposes, a hacker’s executables become nothing more than text files.

All of the above is oversimplified for discussion purposes, but I think you get the general idea of how everything works. Yes, I know it’s not as “simple” as what I’ve described above, but what do you expect from a blog post? I acknowledge that there are a lot more details that need to be worked out – and I would be crazy to think that I could work out everything myself. This is only the start of an idea – not a finished product.

So what are your thoughts on what I’ve presented? Can this idea be refined to the point of being 100% secure? Do you have any additional or better ways of doing the above? How can some of the challenges of this type of architecture best be addressed? What’s your idea?

Thanks for taking the time to read this post. I hope I’ve given you something to think about.

When people choose a computer profession, they usually specialize in a one or two areas – system administration, networking, programming, database management, security, etc. While it’s possible for someone to have a good working knowledge of other areas, to truly master one particular area means that a person has to sacrifice their knowledge in other areas. This includes specializing in certain vendor specific operating systems and/or applications. Not only that, some people have no interest in one or more of the other areas or vendor products, and as a result, have little or no knowledge about certain areas or products.

Microsoft Windows administrators, for example, may only know how to administer Windows systems and have absolutely no idea how to secure an Oracle database. They might have dabbled in programming and can perhaps write scripts, but have no idea of how to secure an enterprise grade application in Basic, C, Java, ASP or PHP. They know how to apply security settings and address vulnerabilities identified by an automated vulnerability scanner, but it’s very possible that they have no knowledge about hacking, host and network intrusion detection, computer forensics or incident response. They may have a general understanding of what’s involved, but not to the extent that they can do the job of a person responsible for that particular area. This applies to others that have specialized in specific areas as well.

While extensive knowledge about hacking is available in books and on the Internet, many computer professionals have never tried playing the role of a hacker in a test environment and attacked unpatched and misconfigured systems and applications – or applications they have written themselves. They’ve never placed malicious code on a system, taken remote control of a system using a Trojan, implanted malware on a Web page or exfiltrated data out of a database. They may not know what their own malicious activity looks like in computer security logs. As a result, many will never know that their systems or applications are hacked unless a security system raises an alert that there may be an issue.

As you might imagine, this lack of knowledge can be real problem for security personnel when it comes to working with other disciplines to secure systems, networks and applications. If a person doesn’t fully understand how something can be probed, attacked and exploited, how can that person truly understand weakness in what they are responsible for managing beyond what they are being told by security personnel – or vice-versa? The honest answer is, the person can’t.

Learn more

Are you a computer professional? Do you know as much as you should about hacking and how it applies to your or other areas of expertise? If not, my book may give you some valuable insights into what you need to know.