Now, this is nothing new, and as I stated before, has been going on for years. I’m not even going to go to the political discussion on whether this is sponsored by the government (or have been turned a blind eye by it), as opposed to Israeli hackers that would like to retaliate but know that they would be charged in their country for computer crimes.

No.

The focus here is that there was such a huge media outrage over the fact that so many (more than 100,000) user accounts have been affected, and everyone is scrambling to figure out who should have notified who on what. A couple of funny things to consider in this incident:

1. There are more than a couple of companies in Israel that specialize in gathering intelligence on such forums as their core business. One company has even been quoted that they knew of this issue months ago.
2. Some of the accounts that have been breached belong to government personnel (or at least have a .gov.il email account with it’s corresponding password).
3. The sites that have been breached were not notified until a couple of days ago. They have no-one to consult with in terms of how to handle this incident, or how to fix their issues (ever heard of one-way password hashing??? apparently not…).

Why am I bringing up these specific point? Let’s see, and now from a perspective of a normal CERT that if would have been here would have addressed these as follows:

1. Companies that deal with security research can send their insights over local security incidents to a coordinating entity – IL-CERT that would manage the anonymous and responsible notification to the affected parties. No need to figure out a local policy for notifications, no need to dig out contact details for obscure police departments and guesstimate whether they even care about your data, and no need to get into the politics of the existing semi-CERTS and who they constituency is.
2. Coordination and notification to government related bodies would  be handled through the ILGOV-CERT (although their website is not too promising, there are ways to reach them…). Additionally, collateral damage notification would also be handled in the same way (i.e. – a .gov.il site has not been breached, but .gov.il account have been found through breaching a .co.il server. This is the kind of thing that ILGOV-CERT does not know how to handle right now…).
3. Incident handling support and assistance would have been provided by subject-matter experts to any site that have experienced a breach. No cost associated (unless actual work on the servers or code would have been sought after, in which case the IL-CERT would have probably done a referral as initially it would not be a commercial body).

Simple huh? And you keep wondering how come a place where so much innovation in science, technology and security has come from is still in the dark ages of it’s own internet security…

Related posts:

1. FIRST and IL-CERT
2. Cyber[FUD]Fare – repost from fudsec.com
3. The China/Google thing, accountants and other miscreants

We expect to have great participation from all areas of the industry, are working on a great venue to host the conference, and are opening up the Call for Papers.

Please see the CSA-IL WiKi for additional information on how to submit for the CFP:

http://wiki.csail.dreamhosters.com/wiki/CSA_conference#Call_for_papers

Looking forward to seeing you all there!

Related posts:

1. Upcoming Conference Schedule
2. ExcaliburCon summary and general China notes
3. Being in the middle (or: things we didn’t manage to learn in a decade)

The question is usually presented by someone who’s in charge of “Security” in an organization. Now, I wouldn’t have had a problem with this if this was a technician, or a pen-tester of sorts, but I get really nervous when the CISO/CIO/Security manager is the one asking.

I think that this question is highly inappropriate for two reasons:

1. You should not be looking for “technology”. Buying a product is not going to make you more secure or less secure.
2. You should not be trying to protect a technology. Your servers, networks, routers, PCs, etc… are not the focus of information security. The information is…

Having been working with senior management – sometimes as an advisor/consultant, and sometimes as a “virtual CISO”, I know that this is not what we expect the CISO or security manager to ask. We expect business savvy, we expect an understanding of what the information assets are, what are the information critical paths, who owns the information and what is the impact of every asset on the business. We expect that the understanding of how each assets fits into the grand scheme of things would be clear to whoever is in charge of securing it, and we expect them to take into account what is the potential damage related to each of these assets (in terms of losing it, having it fall into the wrong hands, etc…).
For me (or us when talking as management) this is the only way to approach security. Funny how things get a little unclear when all you thought you needed to know was which vendor/product fits where in your topology, huh?

What strikes me as most peculiar is the fact that a lot of these security “professionals” find themselves in a self proclaimed identity crisis, having to deal with business requirements and financial understanding of how the business operates. and the weirdest thing is that they often choose to get back to what then “know” best – the technology side of things. Definitely not the way to make a move…

I’m really hoping that all this preaching of “know thyself before you know your enemy” would help somehow, because right now unfortunately the situation at hand only brings us more business (not that I’m complaining). But seriously now – technology is fine and cool, but having the aptitude to know where it fits, not on an architectural level, but from a business perspective is the key to what we do. Get back to the drawing board, erase the network topology and start drawing the business one!

Related posts:

1. Practical vs. Regulatory – the votes are in!
2. Who owns your online identity? Facebook squatters on the rise
3. Being in the middle (or: things we didn’t manage to learn in a decade)

Disclaimers aside, down to business.

What have we learned over the past decade in the security business – let’s see: AV is pretty much the same as it was in 2000 (which is the same as it was in 1990, you get the point). Firewalls do pretty much the same give or take a couple of useless protocols that nobody needs. Oh, oh, I know (yeah – I can hear you from the back of the room) – WAF!. Well, WAF right back at you. Doesn’t work, didn’t work back in the days when it took 3 days to configure it for a small site, and still doesn’t do much good other than the simple stuff (which you can get for free at ModSecurity).

We have almost no technological advantage over what we used to have 10 years ago. So, you must say, we learnt that we as security people must have gone through so much that we manage and deal with the risks and threats much better. Yes, that’s a tear at the corner of my eye. How much I wish you were right.

The same people who I used to see so excited by their newfangled CxO title and their big office 10 years ago, who didn’t know what to do in order to do their jobs, are not doing any better than most companies nowadays.

Then, just like now, they are still trying to find the right “stuff” that’s going to save their world if they just buy/lease/license it and install it in a shiny new rack. Now, just like then, we are focused on finding “vulnerabilities” and categorizing them “high, medium, low” (or whatever scale that doesn’t mean anything) in our networks, operating systems and applications. Then, just like now, we can’t tell the difference whether a threat will render our business useless, rob us blind, or just evaporate like a baby hiccup with a faint noise of “FUD”.

I meet a lot of talented young (and old) security people, they are all bright-eyed, bushy-tailed and ready to fight until the last drop of blood over what they were trained/self-taught/researched. And I envy them. I envy the ability to just disconnect, to adapt that tunnel-vision that allows them to dig right in to the utter abyss of a technical challenge. I also meet a lot of people with broad vision of how security should be. They have forgotten the technical mumbo-jumbo the kids are talking about today. “Sea surf? Yeah! I remember surfing when I was a kid…”, “Sequel? Which one? I thought the matrix series was over…”, “But let me tell you about my new world cyber-peace strategy…”. You get the point.

And don’t even get me started on all these certifications that everyone goes after. The sad fact is, these things have kept us back from thinking differently. They boxed us into whatever the course/certification/training is trying to cram into us on a technical level, and basically leave it at that. It created a 400 pound gorilla of money sucking industry without really giving us back any more talent. Most of my friends in the industry have some kind of certification (or two, or ten), but I still call them friends not because the number of certs they have on their business card, but because I know they don’t really need these certs to be professional security people.

What I’m still struggling with is the middle. I have always been looking for the middle (even as a kid – “your son is about average, but he’s got great potential” was a recurring parent-meeting slogan through all my school years). The middle which have built itself over the foundations of technical research, got their hands dirty in pen-tests, trying out new products, breaking stuff left and right, losing once in a while to get their bearings right. The middle who didn’t get blinded by a new management position, and kept relatively up-to-date on what’s going on. The middle who didn’t skip last year’s DefCon/BlackHat/Shmoocon/[your-favorite-con] talk because he thought it was some passing fad (and didn’t want to admit that it’s just too darn complicated for them to get into new stuff). The middle who took up looking at how the business works. From the numbers, through the sales, operations, tech-support, client meetings, competition and the board-room decisions. We forgot that this middle is our only chance to make progress, because this middle can translate the latest threat to numbers. Numbers that not only the CIO/IT guy can understand, but the CFO, the accountant, the COO and the order fulfillment guys can understand. The real impact on the business. With numbers, with a strategy on how (if ever) to address it, with an understanding that it might not be the latest and greatest gizmo that we need here, but something much simpler. An old solution, a tweak here and there – in a product, or a business operation. A quick chat with the procurement department on how they process stuff, or a change in the way that the sales organization works in the field when they run off to customers and meet the competition.

I find myself trying to fit in the middle too many times. I’ll admit it – I didn’t think of a middle back when I started getting paid for breaking things, but I saw the middle. I haven’t figured out the right terminology until 6 or 7 years ago for this middle. But darn it! (imagine what I held back until now…) I like that middle, and unfortunately (or fortunately as my accountant would say) we are still bad at filling that middle. We still haven’t bridged the gaps between the techies and senior management (I’m obviously generalizing, but look at your average F-100 company – you’ll get it…). Between the millions of dollars we spend on the wrong things, and the vague strategies we build on top of them to fend off auditors and boardroom questions.

Let’s get the good guys from both sides back to the middle. Let’s get the techies some business training, dress ‘em up nice and give them the tour. Let’s send our CxO’s to DefCon for a refresher on how things are done these days. There’s no shame in learning. If I find a day in which I didn’t have a chance to learn something new – technical, financial, political, strategy or disassembly, I feel wrong. Let’s justify our overpriced salaries and really make something out of it. We were used to be paid to think outside the box, and all we did since we started getting paid is to paint the box in crayons.

Break the box. Down to it’s nails and planks. See what makes it tick. Reassemble, open, get out, close it, and think how to make it better.

p.s. – what’s with the parenthesis you ask? well, that’s just how I like to write, and besides – it leaves room to put things in the middle

Related posts:

1. CyberCrime, CyberWarfare, and 2010
2. Cyber[FUD]Fare – repost from fudsec.com
3. The community to the rescue again

Well – it might seem as non-news for readers of this blog (or people who were in my presentations at BlackHat, DefCon, HackerHalted, ExcaliburCon, BlueHat, or in other venues), but a couple of interesting sound-bytes may catch your eye:

1. ZeuS (good ol’e friend, how I missed debugging thou) has implemented licensing schema. The schema enforces that the licensed software be only used on licensed machines. News? yes, kind’a. Remember Neosploit (another personal pet-peeves)? Then you must remember the licensing scheme there as well. Pretty close to what ZeuS just introduced. And they say that the world has stopped sharing. pffff. And you can quote me on that. As anyone who ever took more than a brief look at how these things operate, the only takeaway possible is simple: It’s all about the money (hence – license enforcement is key. Ask Microsoft )

2. Staying with ZeuS, there has been quite a lot of effort in the past few months to take down one of the main autonomous systems providing upstream for some of the biggest C&C’s hosting ZeuS. You can read more about it here, and here. Notable effort indeed, as TORYAK-AS has been on the hit list for ZeuS tracking researchers for a long time. Only thing is – there’s money here again. Which means that even taking down the entire AS won’t really take down the botnet as it relies on bulletproof hosting which means that there will ALWAYS be alternate routes leading to it. That’s how things work. Just like trying to fight trafficking and drug trade. As long as there is demand, there will be supply. You dry out one supplier, the economy will just pop out another one. It’s all about the money.

So, I’ll finish up with a couple of reassuring words. We are not done yet. We like fighting the technical battle (I’ll admit that I had my fun doing so, and still have fun when called to duty), but the real battle won’t be won in that playing field. Remember Al (Capone) – it didn’t take the DEA or FBI to take him down. It was the IRS…

Related posts:

1. Cyber[Crime|War] – connecting the dots – BlackHat EU 2010
2. ExcaliburCon summary and general China notes
3. New post on fudsec.com – CyberFUDfare

One tiny thing mudded the whole experience – a couple of days after getting the Macbook Pro, I’m finding a single “stuck” pixel. Really annoying (nothing life-threatning, but definitely not Apple-like…). So I call support. Great guys on the phone, really appreciative (and just as annoyed as I was by the pixel). Too bad I was on my way back to Israel – the land of service that sucks.

And so I’m faced with the local Apple representative (hope that they wouldn’t stay Apple affiliated after this) – who got the repair order from Apple US – to replace the screen or the entire laptop (yes – they would do that in the US…). BUT (and that’s a big BUT) – the local guys aren’t as savvy to help as their US counterparts. Especially if the laptop was not bought at the local Apple store (where the prices are literally double than in the US – and you get dirt on your keyboard in the form of Hebrew alongside the English engraving).

Long story short – laptop left at the authorized service center just to be returned with a “we don’t fix issues that concern dead or stuck pixels – live with it”.

Fast forward one week – entering a web scheduled Genius appointment at an Apple store in the US. Was late 20 minutes (flight delays). Huge line, but local crew is super supportive, getting the manager to deal with me (laptop is being used for work, and I kind’a got attached to it…). 2.5 hours later I get an email – come pick your laptop – we fixed it (in Israel it took them a whole day – without even touching it). Picked up the laptop when the store was CLOSED (staff was happy to assist, and offered additional support and tips).

Laptop has EVERYTHING new (looks like they just swapped out my disk and memory to a fresh piece). Fully working, no bad anything, one happy customer.

How F*#&ing hard was that huh?

No related posts.

I’m not putting any links to BeeFence since it was a startup I had the honor to be one of the founders of (which obviously went down the road of many other startups…), but the neat thing about it was the technology (did I mention I was the CTO ). Basically – we had what we called “Active Validation” (or sometimes “Interrogation”) of sessions. We generalized it a bit more to cover additional protocols rather than just focus on Web2.0 (think what it can do to the NIDS/IPS world…).

Makes me think of getting back on the startup bandwagon, although I’d have to make some sense out of the drawer-full of ideas I’ve been filling over the past few years having been engaged in web security and cloud security recently… you never know

Related posts:

1. Two steps forward, one step back – controling botnets…
2. Identity crisis
3. Clouds, and the winds that blows them away…

Conference first: It was just great! No-nonsense, I have been speaking at quite a few conferences around the world, but this one really was special. From the organization, through the location and hospitality, down to the fact that we basically were less than a dozen (western) speakers hanging around all day (and night) which really was a great opportunity to make some new friends and strengthen existing friendships.

Talk wise, I have really enjoyed Nathan Hamiel’s “weaponizing the web” talk which I missed at BlackHat earlier this year – right up my alley of the past year’s research on MalWeb, and a great person in general to hang around with.

Later on Steve Topletz has been discussing intelligence on the internet and the superpowers that are engaged in it (with a strange kudos to a little country called “Israel”? Thanks Steve!) which was I’m sure an eye opener for a lot of people who were not privy to some of the data presented.

I also watched the Joe McCray deliver his “this is so easy” advanced SQL-Injection attack talk with the style we always expect Joe to deliver. Adam Laurie (Major Malfunction) has been wrecking havoc with his RFIdiots talk as usual (and in several other places where we hung around). Jordan Wiens made all this Capture-the-Flag stuff look like a big game (don’t think it is for a minute – the skill-set that a team needs to possess is just brutal, and the challenges are as hard as they are fun!). Jayson Street has been juggling with organizing the conference but managed to smoothly present his talk as well, and I can only say I’m really disappointed for missing out Chris Nickerson’s red-team testing talk (close to my heart and business), as well as Wim Remes’ Open Source Security one (one of the few true Unix guys out there and a swell chap overall ). FX did not miss his mark either as he delivered a riveting router exploitation talk (riveting for English speakers – not sure how the somewhat direct language translated to Chinese…).

Other than the conference, China has been a great experience – culturally, politically (don’t get me started), culinary (we got pictures – not for the faint of heart), and technologically (I told you not to get me started…). I have learned a lot (which should be the case for every trip and conference) and am sure to come back for more next year after WuXi will recover from the can of pawnage we have opened up there.

The rest of the stories may not be SFW and deserve a been to be divulged, so until then, keep safe!

Related posts:

1. Cyber[FUD]Fare – repost from fudsec.com
2. The China/Google thing, accountants and other miscreants
3. It’s all about the money

First things first – the main reason for abstaining from the cloud security discussion was simply the lack of definition (and existence) of clouds… True – Amazon has provided the infrastructure to the first layers of building cloud solutions, but full-on “process-as-a-service” has yet to emerge from the different offerings that call themselves cloud. There has been enough ink (bits?) spilled over what really is  cloud computing and what it isn’t (you can check out Craig’s presentation, and Hoff’s view on things).

And now to my 2c on the subject at hand, I have been involved with a few cloud security companies in the past months and being able to lend a hand at the strategic level, I was exposed to several aspects of where are we now with cloud computing, where are the gaps that security firms will need to pitch in and provide basic protections, and a whole lot of marketing fuzz that needed to be thrown off in order to realize what’s out there.

To begin with, we had to sift through the marketing mambo-jumbo to get to the point – seems like the more expensive your marketing budget is, the farther away you get from reality in your message – too bad (and that’s coming from someone who turned a lot of technical material into marketing…). Hence the first point – blowing enough smoke to make everyone tear does not constitute for creating a cloud.

Point two – now that we to the bottom of the offering (and I’m not going to name names…), one usually realizes that it has either been out there for quite a while and has been wrapped in clouds to sell it better, or that someone has made some basic adaptations to an existing offering (see roaming users, VPN, scanning services) to cloudify it. Whatever is left that did not fit into the previous schemes is worth a second (or is it third by now) look.

Point three – what’s the market for your cloud offering? The last hurdle that all these new cloud companies face is choosing (or defining) a direction. Do you see yourself providing a solution for the end users? for businesses? for the cloud infrastructure providers? for providers of services/software/processes on the cloud? If you get an answer in the lines of “we basically provide a solution for all of them” – run! As each of the mentioned markets have different needs, and different views on their place in the cloud, you better get a solid answer for this. I strongly suggest reading the “Cloud Architecture” section written by Chris Hoff which is part of the Cloud Security Alliance’s “Guidance for Critical Areas of Focus” starting at page 15 in order to get an idea on the latter.

Now with most of the fluff away, and the offering at hand we can actually focus on whether it makes sense (business-wise), and where does security fit in. By no means this is going to be a guide for securing the cloud, but always remember the architectural model – from hypervisor, all the way through multi-tenanting, data abstraction and sharing, inter and outer process communication, and off to simple abuses of the cloud in the form of DDoS, Botnet tools, etc…

Hope this made some sense – if not I can only suggest reading some more material on it, and to play around with the current offerings from Amazon, Azure (MS), and Ubuntu (Canonical).

Related posts:

1. AHA! A blast from the past…
2. Being in the middle (or: things we didn’t manage to learn in a decade)
3. Cyberwarfare and Cybercrime – more links turn out in study

Funny how technology sometimes is way simpler than you imagine it would be. As per the new twitter based botnet channels, and the fancy web2.0 communications that are available for usage (see older post at here), utilizing the age-old mechanism of anonymously posing messages on a newsgroup is humbling.

Nevertheless, it’s the same new story (Google groups were chosen because of the web interface and the uptime reputation), just dressed up in old clothes (pun intended…). The same advice that I gave 2 years ago, which I gave last year, and again 3 months ago, is still valid – forget about putting out fires (that’s your off-the-shelf AV). Focus on proper mitigation, a solution that shows you how the technology is an extension of the company’s research, and forward thinking attitude. Look for solutions that are more behavioral in nature in order to identify mal-intent communications, and act proactively based on the predictions and research done.

Basically – don’t settle for mediocracy!

Stay safe.

Related posts:

1. AHA! A blast from the past…
2. Getting a business degree as part of Security Research?
3. Identity crisis