RSA Conference Europe 2012 – Hacking the Virtual World

Jason Hart, SafeNet

This talk demonstrates some live tools and hacking demos, so starts with the standard disclaimer;

ALWAYS GET PERMISSION IN WRITING!

Performing scans, password cracking etc. against systems without permission is illegal.

Use any mentioned tools and URLs at your own peril!

CIA – Confidentiality, Integrity, Availability / Accountability / Auditability, while still important has gone out of the window in terms of being the core mantra for many security professionals and managers.

Evolution of the environment and hacking;

1st Age: Servers  – FTP, Telnet, Mail, Web – the hack left a footprint

2nd Age: Browsers – Javascript, ActiveX, Java etc.  These are getting locked down, slowly and incompletely

3rd Age: Virtual Hacking – Gaining someone’s password is the skeleton key to their life and your business.  Accessing data from the virtual world can be simple – Simplest and getting easier!

Virtual World – with virtual back doors.  This is the same for cloud computing and local virtual environments.  What do you do to prevent your virtual environment administrators copying VMs and even taking these copies home?  You need to prove both ownership and control of your data.

The question is posed – how much have we really learnt over the last 15 years or so?  We need to go back to basics and re-visit the CIA model.  Think of the concept of a ‘secure breach’, if our important data is protected and secure, being breached will still not gain access to this.

Demo against VMWare 4.1 update 1.  Using a simple scan, you can find multiple VMware serers and consoles directly to the internet, remember though these attacks can easily be launched from within your environment.

Outside of this talk, this raises the question – how segregated are your networks.  Do you have separate management, server, and database etc. networks with strong ACL policies between them?  If not I’d recommend re-visiting your network architecture.  Now.

Once you find a vCentre server, the admin / password file is easily accessible and only hashed in in MD5.  This can be broken with rainbow tables very quickly.  You can then easily gain access to the console and thus control of the whole environment.

To make things even easier tools like metasploit make this sort of attack as simple as a series of mouse clicks.  I’d recommend checking out metasploit, it’s a great tool.

Look at www.cvedetails.com for details on just how many vulnerabilities there are, this site also classifies the vulnerabilities in terms of criticality and whether they impact CIA.  This is a great input into any risk assessment process.

Discussion around the pineapple wireless tool;

http://hakshop.myshopify.com/products/wifi-pineapple

In brief this tool can do things like;

–          Stealth Access Point for Man-in-the-Middle attacks

–          Mobile Broadband (3G USB) and Android Tethering

–          Manage from afar with persistent SSH tunnels

–          Relay or Deauth attack with auxiliary WiFi adapter

–          Web-based management simplify MITM attacks

–          Expandable with community modules

–          And much more – look it up if you are interested, it has huge capabilities!

This tool is only $99 for anyone who thought the barrier to entry for this type of functionality would be high.

Then try linking tool like this with the capabilities of software such a Cain and Abel;

http://www.oxid.it/cain.html

This is described as a password recovery tool, but can do so much more.  A prime example of the abilities of this tool is Arp poisoning such that you can see all the traffic on a given subnet / vlan.  I have personally used this to record (with approval of course!) VOIP calls in order to demonstrate the need to encrypt VOIP traffic.  Cain even nicely reconstructs individual call conversations for you!

This is another personal favourite of mine – if your VOIP is not encrypted, why not?  Does your board know if is trivially easy to record their calls or those of finance and HR etc. on your network?

Talk went on to cover some further easy attacks such as those using the power of Google search syntax to gain information such as from Dropbox, Skydrive, Google Docs etc.  An example was finding Cisco passwords in Google docs files.  This leads onto another question, are you aware of just how much data your organisation has exposed in the wild to people who merely know how to search intelligently and leverage the powerful searching capabilities of engines such as Google?

To make things even easier, Stach and Liu have a project called ‘Google Hacking Diggity Project’ that has created a feely downloadable tool for creating complex Google / Bing searches with specific tasks in mind such as hacking cloud storage etc.

This and various other attack and defence tools can be downloaded here;

http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

I’d recommend you work with your organisation to use these constructively in order to understand your exposure and then plan to remediate any unacceptable risks you discover.  The live demonstration actually found files online with company usernames and passwords in, so this exposure is demonstrably real for many organisations.

Talk ended with a brief comment on social networking and how the data available here such as where you are from, which schools you went to etc. can give hackers easy access to the answers to all your ‘secret’ questions.

Remember the term ‘secure breach’ – are important data is all encrypted with strong, robust processes.  We were hacked, but it doesn’t matter.  The CI part of CIA is critical!

I loved this talk, some great demos and reminders of useful tools!

As mentioned at the start, please be sensible with the use of any of these tools and gain permission before using them against any systems.

K

RSA Conference Europe 2012 – Encrypt your cloud

Davi Ottenheimer – president, flyingpenguin

A perceived lack of security in the cloud is still one of the primary issues preventing organisations moving to the cloud.

I was hoping from the title this would touch on the issues with encrypting data while it is processed, but the introduction really only discussed only in rest and in transit.  We all know that;

–          Technically encrypting data moving to and from and around the cloud is not difficult, we have been using SSL / TLS etc. to achieve this in the public domain for years.

–          Encrypting data at rest is also technically easy and again something we have been doing for years for example with public key cryptography.

–          Even deleting data in the cloud can effectively be dealt with via good key management – if your data is encrypted with strong encryption, when you want to ‘delete’ it you can just delete the key!

For a general overview of issues with encryption in the cloud, the talk was interesting and useful covering terminology and some details on key exchange etc.

Some useful terminology when talking about crypto;

–          Encryption: reversible operation, cryptographically turns input into illegible cipher text

–          Hashing: non-reversible operation, cryptographically transforms input to illegible message

–          Tokenization: reversible operation, substitutes input with data that has no inherent value

–          Key management: life-cycle of a secret including creation, distribution, use and deletion

Consider the human / social element.  Some good slides on the Diffie-Hellman key exchange – worth looking up if you want a better understanding of this.

Consider how safe virtual machines are – how protected are they from someone who has full hypervisor access?  What happens when a VM moves to another host – for example VMware v-motion does not support encryption so your machine is copied to another host in ‘clear text’ so data contained in the guest may be accessible to anyone with network access.

Some slides and discussion on Encryption as a Service, which is cool as this is one of the domains of Security as a Service that we have identified and documented J  I’d recommend looking up Key Management Interoperability Protocol (KMIP) and Enterprise Key Management Infrastructure (EKMI) if you want to know more and potential encryption as a service key management options.

Ensure you understand key persistence and management – where are you keys – For example, make sure they are not in things like machine templates otherwise anyone who can create a clone with your template can have root access on all the machines made from that template.  Understand who has your keys, and who can access them and your data – read up on Dropbox legal case for an example of this and how important it is to understand SLAs from providers.

The presentation ended with 6 recommendations for next steps;

Next 3 months

–          Classify data for segmentation

–          Setup key management policy and procedures

–          Select standards for interoperability

Next 6 months

–          Configure apps for key and crypto management

–          Select a key app and crypto app solution

–          Plan and initiate a project to protect data in cloud

Obviously the timings will very much depend on the speed at which your organisation moves!

Overall this was an interesting talk, with some good considerations that highlighted the fact most issues with encryption in the cloud are people / process related rather than technology.  We already have known and understood methods for encrypting data in transit and at rest.

However the talk didn’t really touch on the issues around data processing aside from a mention on tokenization that allows portions of data to be available for some processing while protecting the sensitive portion.  This was a bit disappointing for me as I was hoping this area would be covered in some depth as it’s still the one hole left in the ‘can my data in the cloud be encrypted ALL the time, even when searching and processing it?’ question.

K

RSA Conference Europe 2012 – They’re inside… Now what?

Eddie Schwartz – CISO, RSA and Uri Rivner – Head of cyber strategy, Biocatch

Talk started with some discussion around general Trojan attacks against companies, rather than long term high tech APTs, with the tagline; If these are random attacks.. We’re screwed!

Worth checking the pitch, but there was a series of examples from the RSA lab in Israel of usernames and passwords and other data that Trojans had sent to C&C servers in Russia.  These included banks, space agencies, science agencies, nuclear material handling companies etc.

So what to the controllers of these Trojans do with the data?  Remember these are random attacks collecting whatever personal data they can get, not specific targeted attacks.  A common example is to sell the data, you can find examples of the criminals on message boards etc. offering banking, government and military credentials for sale.

Moving onto examples of specifically targeted attacks and APTs..  Examples of targeted attacks include; Ghostnet, Aurora, Night Dragon, Nitro and Shady RAT.  These have attacked everything from large private companies, to critical infrastructures to the UN.  All of the given examples had one thing in common – Social Engineering.  Every one used Spear Phishing as their entry vector.

From this I think you need to consider – Do you still think security awareness training shouldn’t be high on your organisations to-do list?

The talk went onto discuss Stuxnet and Duqu, along with their similarities and differences, largely what was captured in my last post.  The interesting observation here was their likely different plaes in the attack process.  Stuxnet was at the end and the actual attack, Duqu likely much earlier in the process as it was primarily for information gathering.

A whole lot more targeted malware examples were given including Jimmy, Munch, Snack, Headache etc.  Feel free to look these up if you want to do some further research.

A very recent example of a targeted attach that was only discovered in July of this year is VOHO.  This campaign was heavily targeted on Geopolitical and defence targets in Boston, Washington and New York.  It was a multistage campaign heavily reliant on Javascript.  While focused on specific target types the attack was very broad, hitting over 32000 unique hosts and successfully infections nearly 4000.  This is actually a very good success rate, with the campaign no doubt considered a success by those instigating it..

In light of this evidence it is clear we need a new security doctrine.  You will get hacked despite your hard work, if it has not yet happened, it will..  Learn from the event, an honest evaluation of faults and gaps should result in implements.

Things to consider as part of this new doctrine;

–          Resist – Threat resistant virtualisation, Zero day defences

–          Detect – Malware traces, Big data analytics, behavioural profiling

–          Investigate – Threat analysis, Forensics and reverse engineering

–          Cyber Intelligence – Threat and Adversary intelligence

Cyber Intelligence was covered in some more specific details around how we can improve this;

–          External visibility – Industry / sector working groups, Government, trusted friends and colleges, vendor intelligence;

  • Can this information be quickly accessed?  For speed should be in machine readable format, but use whatever works!

–          Internal visibility – Do you have visibility in every place it it needed, HTTP, email, DNS, sensitive data etc.

  • Do you have the tools in place to make use of and analyse all of these disparate data sources

–          Can you identify when commands like NET.. and schedulers etc. are being used?

–          Do you have visibility of data exfiltration, scripts running, PowerShell, WMIC (Windows Management Instrumentation Command-line) etc?

–          Do you have the long term log management and correlation in place to put all the pieces of these attacks together?

Summary recommendations and call to action..

–          Assume you are breached on a daily basis and focus on adversaries, TTPs and their targets

–          Develop architecture and tools for internal and external intelligence for real-time and post-facto visibility into threats

–          Understand current state of malware, attack trends, scenarios, and communications

–          Adjust security team skills and incident management work flow

–          Learn from this and repeat the cycle..

Next steps (call to action!);

–          Evaluate your defence posture against APTs, and take the advice from the rest of this post

–          Evaluate your exposure to random intrusions (e.g. data stealing Trojans), and take the advice from the rest of this post

Useful presentation from a technical and security team standpoint, but completely missed the human and security awareness training aspect – despite highlighting that all the example APTs used spear phishing to get in the door.  I’d recommend following all the advice of this talk and then adding a solid security awareness program for all employees and really embedding this into the company philosophy / culture.

K

RSA Conference Europe 2012 – Duqu, Flame, Gauss: Followers of Stuxnet

Boldizsar Bencsath, CrySys Lab

Stuxnet – 2010 – modified PLCs (Programmable Logic Controllers) in uranium enrichment facilities.  Most likely government backed and dubbed ‘the most menacing malware in history’ by wired magazine.

Duqu – discovered by CrySys Lab in the wild when responding to an incident.  Stuxnet destroyed Iranian centrifuges, Duqu is for information gathering.

However they are very similar in terms of design philosophy, internal structure and mechanisms, implementation details and the effort that would have been required to create them.  Additionally Duqu also used a digitally signed driver as with Stuxnet.

Duqu named as it creates temp files starting with the string ~DQ.

Actual relationship between the two and who created Duqu is not known, but suspected that Stuxnet creators at least had some involvement in creating Duqu.

Duqu is a very clean design that automatically downloaded only the modules it required from Command and Control (C&C) servers.  Thus investigators do not know the full extent of its capabilities as they can only see the modules that were downloaded to the targets they investigated.  The Duqu C&C servers may have hosted the Stuxnet PLC code for example.

The components of Duqu that were discovered included;

–          Registry data to point to components

–          Keyloggers

–          Multiple encrypted payloads

–          Pointers to how to decrypt the payloads

–          Of note different payloads were encrypted with different methods

From a CrySys Lab viewpoint they;

–          Discovered and named Duqu

–          Freely shared thei knowledge with AV vendors and Microsoft

–          Identified the dropper

–          Developed the Duqu detector toolkit

  • Focusing on heuristic anomaly detection
    • AV tools already have basic signature detection so no reason to duplicate this
  • Detects live Duqu instances and remnants of old ones
  • Also detects Stuxnet
  • Open source for anyone to use

Moving into 2012 another variant / descendant of Stuxnet / Duqu has been discovered.  This is known as Flame / Flamer / sKyWIper.  Flame has been described as the ‘most complex malware ever found’, its core component is 6MB in size.

Flame appears to follow the same main requirements / specifications to Duqu and Stuxnet, but has been developed in a very different way, using different programming languages etc.  Flame is another information stealer malways with functionality such as;

–          activating microphones and web cameras

–          logging key strokes

–          taking screen shots / screen scraping

–          extracting geolocation data from images

–          sending and receiving commands and data through Bluetooth, including enabling bluetooth when it is turned off

Flame infects computers my masquerading as a proxy for windows and has infected 1000s of victims mostly across Iran and the Middle East.

Gauss is another information stealing malware example that is based on the Flame platform.  This was also discovered in 2012, but infections date back to September 2011, again 1000s of victims, mainly in Lebanon, Israel and the Palestinian Territory.

Gauss have been further developed with the Gauss Godel module.  This has an advanced encrypted warhead using RC4 and the decryption key is not available in the malware itself.  This is in contrast to Stuxnet, Duqu and Flame that used simple XOR masking or byte substitution. This encrypted warhead can only be decrypted on the target system making the malware resistant to detailed analysis. The Gauss module is big enough to contain Stuxnet lake SCADA targeted attacks as well as the currently found information stealing attacks.

The talk also had some great graphics highlighting the structure of the various forms of malware discussed.

Lessons learnt from this research;

–          Current approaches for defending systems from targeted attacks as ineffective

  • Code signing is not bullet proof
  • Virus scanners should have improved heuristics and anomaly detection

–          Coordinating international / global threat mitigation and forensic analysis are challenging problems

  • How do we better share information quickly and while preserving evidence?
  • How do we identify and capture C&C servers quickly?
  • How do we track along the C&C proxy chain?

–          Attackers are using ever more advanced techniques

  • MD5 collision attack in Flame
  • Encrypted payload in Gauss

What can you do to better protect your organisation from similar attacks?

–          Extend protection beyond signature based techniques

  • Anomaly detection – Understand normal use patterns
  • Heuristics
  • Baits, traps, honeypots (I’d say these ones are pretty advanced and likely used by only the most security conscious and savvy organisations)

–          Educate your IT teams to spot and raise anomalies

–          Use Forensics – every organisation should have some forensic capabilities

–          Have an incident response plan, with methods to contact external professionals / experts if required

–          Look into ways to better share information!

It is well worth checking the CrySyS Lab blog for further information on the malware mentioned in this talk, plus many related topics;

Blog.crysys.hu

This talk did a great job of highlighting how one advanced attack inspires many new variants, and how attacks and attackers are becoming ever more advanced and sophisticated.  What is in an advanced, state sponsored attack one day will be used in point and shoot hacking toolkits the next day..

K

RSA Conference Europe – Cybercrime, Easy as Pie and Damn Ingenious

James Lyne, Director of Technology Strategy, Sophos

Sophos current see >200,000 individual pieces of malicious code every day.

Cybercrime is becoming very professional with easy to access tools;

Sites exist for testing and quality assurance of malware, e.g. www.virtest.com – this site scans your malware with multiple (44) different anti-virus products to see if it is detected.  The benefit of this service is that it uses the vendors AV engines and signatures.  The site carries the assurance that no results will be sent back to the vendor or shared in any way so you can be assured that your malware will not be added to existing malware databases.

Another example is Gwapo that has youTube videos advertising their DDoS service.

Ransomware is also becoming common with malware that encrypts your drive(s) and requires payment to unencrypt it.  Some ransomware become a lot more scary and malicious with threats that illegal content such as child pornography is encrypted on your computer and if you don’t pay within xx hours or days the police will be sent details of how to unencrypt it.  Ransomware can be particularly harmful and effective as it does not require administrative access, for example if you have access to company files etc. they can be encrypted with your limited access.

You can get easily access ‘crime-packs’ containing various tools for exploiting and attacking tool kits.  Examples include; Firepack, ice-pack, crimepack, blackhole etc.  Some of these even come with CR tools built in!  Additionally in keeping with the times some are available as cloud based services that you can subscribe to.  Many come with technical support contacts as well.

The tools have very simple gui based interfaces for creating your own malware based on existing payloads etc.  They are also very regularly updated with new code and make use of polymorphism to try and evade detection.

As an example blockhole has features such as;

–          Blacklisting / blocking to try and prevent researchers from security companies accessing the application and infected machines

  • Only hit IPs once
  • IP blacklist
  • Referrer URL blacklist
  • TOR blacklist
  • Import blacklisted ranges (e.g. fro cloud services)

–          Auto updating / patching

–          Can target multiple client vulnerabilities simultaneously

–          Java 0-days almost as soon as they were available

–          AV scanning add ins to check if the attack is being identified by host AV systems

A few comments on adopting a more ‘offensive’ stance, this is a grey area and may be legally questionable in some jurisdictions so you should be careful when looking at these options.  Some options in escalation of scale order;

–          Bit of poking – DNS, name servers and ‘affiliations’

–          Web bug, image or alike

  • Pretty easy to legally get away with
  • Sadly basic information

–          Javascript. Web Shell. Querying more information

  • Borderline, depending on your jurisdiction

–          Full hog – exploitage

  • Oh, you didn’t patch Java in your system either? – use the attackers exploit, in this case java against their own jave based site / application
  • Where they are, what they are doing.

Two steps forward.. Using IPv6 as an example, many machines now have IPv6 on as a default, simple router flood attack available on current Backtrack etc. can max out CPU and even crash the machine.  You may not care about IPv6 yet, but if you are not disabling it or securing it you could be opening up new attack vectors in your organisation without realising it.  The message again is to understand your environment and the risks you face.

Key take away points from this talk are;

–          Consider upcoming technologies even if you are not using them yet

–          Consider any investigative / offensive moves very carefully

  • I’d recommend improving your forensics capabilities, gather solid, admissible evidence to hand to legal investigators

–          Watch the basics

  • Assumptions kill us
  • Yes people can be that silly

–          Everything in moderation – Hype hurts

On a closing not, the tools and sites mentioned in this post are real and currently accessible.  Search for and use with care and at your own peril!

K

RSA Conference Europe 2012 Keynotes; day two part two

Keynote 3 – ‘Are we getting better?’ Why we don’t know.  What can we do about it?

Joshua Corman, Director Akamai Technologies

Change is constant;

–          Evolving compliance

–          Evolving Threats

–          Evolving Technology

–          Evolving Business

–          Evolving Economics

Historically most of our security time and budget went on understanding who is attacking us and how, and understanding our IT landscape.  Now since the onset of so much legislation 50% of security time and budget is spent meeting regulations.  In some companies this is closer to 100%.  Why?  Because the organisation might get hacked, but it will be fined if it fails an audit.

So in a world of ever increasing and evolving threats and increasingly complex systems our focus is diverted from true risk management and security.

Another reason to believe we are not getting better is that we are rapidly increasing our dependence on technology and software systems much more quickly than our ability to secure them e.g  Insulin pumps have been hacked to deliver lethal doses, Microsoft Windows is now in some cars, we rely on web sites that are still regularly hacked, etc.

Are our challenges are not technical but cultural?  For example the OWASP top 10 issues has basically never changed!  Why have we not yet solved any of these issues?

Why is this?

–          We have faith based security

–          We need evidence based security

–          However we have very little data and that we do have may not be for the genuinely most serious issues – we focus on what is visible, not importance.

–          Drunks and Lampposts! – we (and vendors) use data to prop up their views and desired message, not to show the true picture in the same way a drunk uses a lamppost for cupport, not illumination.

 

Collection of thoughts presented;

 

–          Vendors don’t need to be ahead of the bad guys, they just need to be ahead of the customer!

–          We have and accept buggy software

–          There is a lot of FUD (Fear Uncertainty and Doubt) and conversely Blind faith

–          We had the chance to do cloud computing better, but are already having the same types of conversation as before..

–          The security industry scores very high on the Maslow stress index..

–          Most companies and CISOs cannot stop standard Metasploit attacks, if we cant stop ‘script kiddies’ how can we expect to stop ‘grown up’ attackers? – HD Moore’s law..

What can we do about it? (in order of importance);

–          Pick one;

  • Make excuses
  • Make progress

–          Build defensible infrastructures including rugged software

–          Operational excellence – run IT well, understand what you have

–          Situational awareness

–          Countermeasures

Joshua has a very interesting blog covering these points and many others.  This can be found here;

http://blog.cognitivedissidents.com/

To summarise, Seek Knowledge, Make Progress, Collaborate with people, be unreasonable! J

Overall a great although sprawling and fast paced talk.

——–

Keynote 4 – Trust, Security and Society

Bruce Schneier

We as a species are very trusting, just having breakfast you effectively trust 1000s of people to have safely grown, prepared and server your food.  Society wouldn’t function without trust.  This is why we do security, security enables trust, and trust enables society.

There are two forms of trust –

–          Personal when you know someone, and understand some of their likely motivations and expected actions.

–          Impersonal, you trust / assume someone will perform tasks as expected – e.g. you trust a taxi driver to take you to the right place and not overcharge you (too much!)

In society we trust a lot of people and entities all the time to perform as expected and fulfil agreed actions.  This trust is for individuals, things / organisations that are physically there, and much more abstract organisations / functions.

Conversely in any system like this people can ‘game’ the system and act in untrustworthy ways.  Consider game theory and the prisoners dilemma.  People can be ‘defectors’.  However defecting only works if the defectors are not too successful, if defecting becomes too successful things, in this case society can collapse.

Security is how we keep the number of defectors to an acceptable level.  This does not mean zero, as getting towards zero becomes prohibitively expensive.

So how do we do this?  Societal pressures;

–          Morals – mostly comes from within our own head

–          Reputation – mostly comes from other people’s opinions of us

–          Laws – ‘formalised reputation’ where laws are not just government type laws, this also includes expected behaviour within your company, expected behaviours within a group or team etc.

–          Security systems

These pressures allow society to scale.

Society will use these pressures to find a balance / equilibrium between these pressures and defectors.  Usually not explicitly, but as an example if there is a lot of crime people will expect more time and effort to go into policing, when crime is very low they will ask why spend so much on policing when we have all these other issues..

Technology makes society more complex and is leading us through a tie of great societal change.

To summarise;

–          No matter how much societal pressure there is there will always be some defectors

–          Increasing societal pressure is not always worth it

–          We all defect at some times. No one is perfect.

–          There are good and bad defectors and it can be hard to differentiate.

–          Society needs defectors – we all benefit because some people don’t follow the norms..

K

RSA Conference Europe 2012 Keynotes; day two part one

Keynote 1 – Big Data; Threat or Opportunity>

Philippe Courtot, Chairman Qualys Inc.

Big data is everywhere, not just Facebook, Google and CERN.  Organisations from the police with cameras constantly taking photos of license plates to log data from corporate systems and web sites.  Many companies are now having to deal with or plan to deal with big data in order to understand their systems, their customers, and their users.

What is driving this for ‘ordinary’ organisations?

–          Increasingly complex and virtualised IT infrastructures

–          Workload mobility

–          Bring your own device / computer

–          Cloud computing

All require increasing amounts of data to be collected and aggregated in order for an organisation to understand and ensure compliance of their environments.

Cloud computing is both aiding this by making the storage and compute power available to any business that has to deal with big data, and driving this through its scale, virtual and always on nature.

How do we ensure the security and understanding of these complex environments?  We must build security onto to overall cloud and application architecture.  Realise that the cloud has multiple ‘flavours’ from IaaS to SaaS and these are not all the same from a design and architecture perspective.  Stop talking and thinking about the cloud as just ‘the cloud’.

From an infrastructure perspective, cloud data centres are fractal, you need to understand what your assets are, but also realise many are the same for example storage and compute.  You can monitor all your compute nodes with the same method.  Monitoring needs to be in real time and to have analysis and intelligence built in.

If you are running web applications you need to understand how many you have, where they are and how they are being used.  Need to look at hardening and understanding this perimeter and correlate logs across these environments.  How do we manage code issues and potential exploits and varying methods of authentication?  Your developers working on new code and functionality, your support staff may not have enough code experience.  Do we need a new breed of operations support with reasonably in depth coding abilities?

Was Philippe referring to DevOps here?  This is newish, but not a new idea, many organisations are already using or setting up DevOps teams with the skill sets that were talked about.

Mobile devices are also driving both big data and management challenges to organisations.  We need to ensure they are all monitored and managed; Single Sign on, Privacy, Corporate policies.  How do we do this to 100s / 1000s / 1000000s of thin devices that cannot have thick very thick applications installed on them?  Cloud based services for bath device management and aggregation of the collected data can provide these solutions and scale as required.

How do we ensure security remains ‘front and centre’  as we move to the cloud and scale up?  Many existing enterprise point solutions do not scale enough or integrate well enough with the cloud.  This is being solved by providing managed security services from the cloud; Security as a Service (SecaaS).  Obviously blowing my own trumpet here, but this neatly links to my research with the Cloud Security Alliance on SecaaS!

For me the key message of this talk is that real-time ‘Big Data’ is a key element of tomorrow’s security.  We need to understand the implications of this and plan our security strategy to take advantage of this and the insight it will bring.

——-

Keynote 2 – The struggle for control of the internet

Misha Glenny – Author and Journalist

Control of the internet focusses on the debate between security and privacy vs. demand for freedom.  The US identifies four areas that need to be managed and prevented; Crime, Hactivision, Warfare, and Terrorism.

How do we balance the need for people to have freedom with the needs for safety and protection online?  Is the internet morally neutral?

Crime (cybercrime) quickly took advantage of the internet, from card detail sales sites such as Carderplanet and DarkMarket.  Carderplanet was set up >11 years ago.  Both these sites have since been taken down, but they paved the way for much more sophisticated criminal organisations.

Criminals now spend a lot of time watching organisations like SOCA and the FBI in order to understand them and anticipate their next moves.  So while those trying to catch the criminals are watching them, they in turn are being watched!  Hackers have accessed private police files to monitor current investigations and delete intelligence records etc.

There have actually been worldwide ‘carder’ and other criminal activity conferences.  For example Carderplanet organised the first worldwide carder conference in 2002.  The invite to this conference also alluded to the fact that Carderplanet had a deal with the FSB (Russian secret service) would not interfere with their ‘work’ as long as they did not attack financial institutions, and if they would perform attacks on behalf of the Russian government / secret service as required.

The lines between government spies and criminals are becoming increasingly blurred.

Currently the UK secret service (Mi6 / Mi5) is dealing with ~500 targeted attacks every day.  This is up from ~4 per year 10 years ago!  The international spend in the west on cyber security is currently around $100 Billion per year.  This is set to double over the next few years.

The west wants to work with China and Russia to improve the situation; however they want to be allowed to manage the web within their borders in any way they like if they are to cooperate.  This obviously has issues with preventing freedom of speech.

Will the Web brak down into massive intranets?  Iran has already stated its intent to disconnect itself from the Web and set up just such an internal intranet.  China and Russia want to control and largely segregate their internal users from the rest of the Web.

We need original thinking to resolve these issues!

K

RSA Conference Europe 2012 – Developing Secure Software in the age of Advanced Persistent Threats

Talk presented by Dave Martin and Eric Blaze, both security officers from EMC.

March 2011 – RSA suffered a breach from an Advanced Persistent Threat (APT) type attack.  This was big news and many customers we affect, having to replace their RSA tokens etc.

Security groups in high tech organisation, with EMC being the example – Product security group and IT security organisation.  Where;

–          Product security is focussed on the security of the products produced by the business, deploying patches to customers etc.  This can be looked at as the products impact on the customer’s risk.  They at EMC work on the premise that the customer’s network where the product will be deployed has been compromised so security is paramount.  Secure development / code and application focussed.

–          IT security organisation is responsible for the security of the IT enterprise itself.  This can be looked at as the security impact on enterprise risk.  Generally tend to be much more infrastructure and system focussed.

The environment is changing – environments much more likely to be compromised in a subtle, planned, long term manner (APT) rather than the traditionally more blunt and opportunistic attacks / compromises.

What are the characteristics of these changes?

–          Single minded, determined and innovative

–          Targeting individuals over systems

–          Through reconnaissance will understand your processes, people & systems better than us

–          Will exploit ANY weakness

–          Countermeasures increase sophistication

–          Custom malware, NOT detectable by signatures

–          Are not in a hurry will take as long as it take

–          Goal is long term & persistent access

–          The perimeter has shifted, all systems now exist in a hostile environment

What are the implications of this?

Real attacks that have been publically reported have included;

–          Loss of intellectual property

–          Loss of cryptographic secrets

–          Loss of source code

–          Attacks against cloud services

Mandiant M-Trends 2012 reports that 94% of companies find out they have been compromised from law enforcement, and the median length of time from when a company is compromised to when the breach is discovered is 416 days!  Do you know your network is secure, can you report with confidence to your board and shareholders that you have adequate, intelligent monitoring and solid layered defence in depth in place?  Is your organisation aware of the risks at all levels?

We must assume that we are compromised! – the Security for Business Innovation Council in August 2011 stated;

“Consider that no organization is impenetrable. Assume that your organization might already be compromised and go from there.”

Technology providers must support this by adopting their product security strategy in the following ways;

–          Create an integrated governance model

–          Build intelligent monitoring into products

–          Design layered defence into products

How do they do this?  Product security and Organisational security must work more closely together to expand the SDL (Secure Development lifecycle) and collaborate on standards such as;

–          Source code management

–          Anti-counterfeiting

–          Cloud / Hosting

–          Supplier risk management

–          Software integrity controls

–          Make product strategy part of the enterprise risk strategy

–          ..

Make logging of events more intelligent; Build attack-aware software.

–          Leverage threat modelling within the software to log abuse such as Buffer Overflows and SQL Injections

–          Evolve from logging to debug code issues towards logging that is much more useful for detection for example by including anomaly and behaviour logging in program logic

–          Design software to integrate with and leverage the existing enterprise risk ecosystem – white lists, reputation awareness etc.

Incorporating layered defence into applications / services to resist APT type attacks can be done in various ways including;

–          Utilising split-value cryptographic authentication.  This is where Passwords are split and stored across two servers with one hosting part as an XOR’d random number and the other as a random number.  Thus the attacker has to compromise two servers and crack both parts within a small time window as a new random number regularly refreshed.

–          Assume source code is compromised – anything can be eventually reverse engineered;

  • Never hard code secrets,
  • Adopt a Secure Development Lifecycle,
  • Threat model for source code exposure,
  • Build integrity control into source code reviews
  • Pay attention to comments – we should comment for best practice and code support, but make sure things like ‘To do, must add security here’ are mot left in the code!

–          If you use agile methodologies, ensure you have a security based story.  Review the recommendations from SAFECode;

In summary we need to develop using secure methodologies and use the assumption that all systems are or will be compromised.

K

RSA Conference Europe 2012 – SSL is Cracked panel discussion

The panellists for this were;

Ivan Ristic; Director of Engineering, Qualys, Inc.

Marsh Ray; Senior Software Development Engineer, PhoneFactor

Gerv Markham; Governator, Mozilla

Phillip Hallam-Baker; VP and Principal Scientist, Comodo

Overall some great experience here including the guy who wrote ModSecurity and the guy who discovered the TLS renegotiation vulnerability..

The discussion covered the following topics;

Vulnerabilities / Attacks;

–          Protocol- based – TLS Renegotiation, weakness in CBC handling on web servers, Crime (TLS compression issue that can result in password exposure), BEAST (Browser Exploit Against SSL/TLS) tool.

–          Implementation-based (e.g. mixed content)

–          Practice based (certification authority bad practices)

Solutions and Remedies;

–          Those currently available (e.g. RC4 with TLS 1.0)

  • DV, OV and EV = Domain-Validated, Organization Validated, and Extended Validation SSL Certificates

–          Those in Development / Deployment

  • Online Certificate Status Protocol (OCSP) Stapling
  • HTTP Strict Transport Security (HSTS) – HTTP header that says from now on only connect to this site with HTTPS, never HTTP.
  • Content Security Policy (CSP) – way to manage the content you will accept from web sites based on declarative content statements in the headers.
  • Improved security and audit requirements for CAs (certificate authorities)

–          Those being Discussed (DANE, CAA, CT etc.)

  • DANE – DNS based Authentication of Named Entities
  • CAA – Certificate Authority Authorization (DNS Resource Record)
  • CT – Certificate Transparency (Issuance Logging)

Summary / Take away points;

–          Check Systems (Your Own and Those of Others) – Can go to https://www.SSLlabs.com and enter a URL to test its level of TLS/SSL

–          Analyse Code and Configurations for Vulnerabilities

–          “Tweak” System Configurations and Code

–          Support Implementation of Newer Versions of TLS and other emerging Protocols

–          Patch and/or Replace Systems

–          Web Security based on SSL/TLS Continues to Evolve and Improve

 

Overall this was an interesting and thought provoking discussion.  However, as is often the case, putting a bunch of passionate, opinionated and knowledgeable geeks on a discussion panel together resulted in a somewhat rambling debate.  This was very hard to capture / document in any detail, but hopefully the comments highlighting some current vulnerabilities and remedies being looked at will provide a starting point for you to do some further research if you are interested.

K

RSA Conference Europe 2012 – Moving your SOC beyond the bloatware

Talk from Amit Yoran of EMC/RSA.

Where SOC in the title refers to Security Operations Centre.

Everything is evolving;

–          Organisations are evolving and changing rapidly – cloud, BYOD, new systems, new devices, new operating systems, new regulations

–          Data is evolving rapidly – explosive data growth, big data

–          Threats are evolving rapidly, with actors from petty criminals to organised crime to terrorists to anti-establishment vigilantes (think Anonymous – Hactivists) to nation states.

Existing security systems are ineffective;

–          Signature based – from AV to anti-spam to firewalls to IPS tends to look for known things and behaviours (signatures)

–          Perimeter orientated – Firewalls, IDS / IP, router security etc. still make up much of the focus.  We are becoming more and more porous or boundary-less.

–          Compliance driven – often at the expense of ‘real’ security and risk management.

Detection time is poor – many attacks go undetected for far too long.  How do we reduce this attacker free time or dwell time?

Focus needs to shift from I will stop breaches to I will be breached and how do we manage this and prevent / minimise damage.

Identified four impediments to change from the current;

–          Information deluge – too much information

–          Budget dilemma – so much hype and marketing, what do I spend limited budget on?

–          Cyber security talent – what talent do I have in my organisation, how do I leverage it, and scale the limited number of very talented peoples reach to work for the whole organisation?

–          Macro situational awareness – How are am I of my organisation, and of its wider operating environment?

So what can we do?

SIEM (Security Information and Event Management) has been a good start, but limited ability to deal with the complex, multi-faceted attacks of today.  Separating bad from good has become an increasingly difficult problem.

How do we understand what ‘good’ looks like.  Much more complex than just is it a valid login, ‘bad’ may be a complex set of apparently authorised transactions, that look very similar to ‘good’ activity.

Traditional SIEM is not enough –

–          Cannot detect lateral movement of attacks, or covert characteristics of advanced attack tools

–          Cannot fully investigate exfiltration or sabotage of critical data

–          Issues with scaling to collect, sort, and analyse large enough data volumes

Need better security analytics!

Incident response lessons learned;

–          Stop doing things that provide little value

–          Focus on securing the most important material assets to the enterprise and understand their risk exposure from people to processes to systems to data

–          Obtain a deeper visibility into what is happening on the network and what is known about the organisation and its users

–          Collaborate in real time with others more effectively and gain actionable intelligence

–          Measure performance across some established methodology or continuum (success, failure, compliance etc.) – but make them valid and don’t tune behaviour just to do well on the ‘test’!

Security operations require;

–          Comprehensive visibility

–          Agile analytics

–          Actionable intelligence

–          Optimise incident management

How do we improve understanding and analytics?

–          Security Analytics Warehouse

Scalable, centralised data warehouse for long-term data retention and deep intense analysis.

Visibility of – Logs, network data, raw content, reassembled content, enterprise events, enterprise data, flow, structured and unstructured data, host telemetry…

This must be backed with a powerful analytics engine to enable complex searches and analysis on these varied and large data sets.

This is a step beyond traditional logging / SIEM platforms.

Allows us to move to ‘active defence’ that gives the user ability to take action or automatically remediate common functions.  This turns a passive system into an active one, largely using existing infrastructure.  In turn this fuels actionable and effective workflows for the SOC.

Interestingly this talk links back to the those on SOA and big data from the service technology symposium, both identify the need to manage and analyse big data in real time or as near to real time as possible.  These points highlight how entirely disparate areas, in this case SOA / development and security, can have similar needs and come to the same conclusions.  Being able to meet the needs of your systems and application teams as well as your security team may help get your log correlation and analysis project approved.  Another reason for understanding your wider business teams and environment!

Also kudos to the presenter for remaining very vendor neutral despite working for RSA / EMC, there were hints of their products, but none mentioned and no sales pitch.

K