Tag Archives: vulnerability

Information Security Intelligence Report for 2010 and Predictions for 2011

Looking back at 2010 shows a widening gap between cybercrime and law enforcement capabilities, in conjunction to nations that have started the cyber-race to develop defensive and offensive capabilities. Most of the attacks analyzed in 2010 depict organizations that fall behind in their defensive strategies as attackers take advantage of a hybrid approach that merges technical merits alongside human weaknesses to cash-out on their attacks.

Cybercrime widens the gap between attack capability and defense mechanisms. Analyzing several of the major attacks of 2010, Security Art notes that organizations were attacked in two key ways. Firstly, through technical exploits such as Aurora, Mariposa, ZeuS, and SpyEye. Secondly, by attacks that bypassed traditional protection methods, and gained access to targets through human-weakness areas such as social media. While businesses focused on defending themselves using security mechanisms such as anti- virus software and perimeter defenses, attackers jumped over these defenses, and proceeded to flood the market with a high volume of malware that now poses a serious threat to security providers in terms of detection rates and response time. However, law enforcement agencies have focused mainly on menial cybercriminals, and have not successfully reduced the impact of online criminal activities. On a national level, we see nations have embarked upon the race to develop defensive and offensive cyber capabilities.

Cyberwar arms race sends nations to shopping frenzy. As CyberWar gained merit (and criticism) during 2010, with the movie-material Stuxnet incident being the poster-boy for news outlets that published every spin-off, speculation, and plain old gossip, the international scene had its own race for the latest and greatest defense mechanisms. The implications of Aurora and Stuxnet made most countries feel their lack of a critical infrastructure defense and the capability to deliver a similar cyber-blow, and many went shopping for weapons. Security Art witnessed the strategic build up of capabilities in some countries, and a more hurried shopping spree (that usually led to amassment of CyberCrime provided tools) in others. This, and the delayed response of organizations such as the UN, the EU, and NATO, left the scene looking more like the Wild West than Silicon Valley.

Expanding digital domain and improved understanding of security will reign in 2011. Our prediction for 2011, drawn from the criminal, political and diplomatic sides of cybercrime that dominated 2010, is that more focus is going to be given to approaching security from a strategic standpoint. Rather than buying “best of breed” products and ticking off compliance sheets, we predict that organizations and countries will apply a more sensible executive-level understanding of what information security means to them. In the expanding personal digital domain (smartphone, tablets, and suchlike), and the continued digitization of all organizational information (from scanned materials to VOIP telephony), security must be applied to more layers than ever before. Countries and organizations will have to adopt additional skill-sets and look for solutions in areas they have not dealt with before.

Please go to http://www.security-art.com/download-report to download the full report, or email [email protected] for additional information.

The Botnet Wars – industry Q&A

I was approached recently by Bart P from Panda security in order to participate in an industry expert Q&A about the botnet wars (apparently he did his homework as he got quite the lineup to participate in this, guessed he can count me as a close miss :-)…).

He managed to compile a great Q&A where you can read some of the views and opinions on the current state of business at the Botnet (including exploit kits and crimeware kits) marketplace.

The full article is available at: http://bartblaze.blogspot.com/2010/10/botnet-wars-q.html

Enjoy!

Being in the middle (or: things we didn’t manage to learn in a decade)

This is going to be painful, so hold on.
Instead of mumbling short tweets about things I think that suck, I decided to keep everything in and just formulate a post on it.
This post is a rant. It’s a complicated rant by an “old” guy (my excuse for cynicism) in the industry who’s had a chance to see a lot going. Disclaimer: I’m going to give some examples here, real life examples from my own experience in the security industry. Some are from my consulting days, some from the vendor days, some from freelance and other gig days. If you think you are someone who I’m describing here – you probably aren’t. On the other hand, if you can recall some snotty smart-ass dude come into your company wearing orange bermuda pants (swear to god) sandals and (hold it) silver toenail polish (I was going through something back then), telling you how badly your security sucks and leave a single pager report on it showing gaping holes in technology and processed, well, I’m sorry…

Disclaimers aside, down to business.

What have we learned over the past decade in the security business – let’s see: AV is pretty much the same as it was in 2000 (which is the same as it was in 1990, you get the point). Firewalls do pretty much the same give or take a couple of useless protocols that nobody needs. Oh, oh, I know (yeah – I can hear you from the back of the room) – WAF!. Well, WAF right back at you. Doesn’t work, didn’t work back in the days when it took 3 days to configure it for a small site, and still doesn’t do much good other than the simple stuff (which you can get for free at ModSecurity).

We have almost no technological advantage over what we used to have 10 years ago. So, you must say, we learnt that we as security people must have gone through so much that we manage and deal with the risks and threats much better. Yes, that’s a tear at the corner of my eye. How much I wish you were right.

The same people who I used to see so excited by their newfangled CxO title and their big office 10 years ago, who didn’t know what to do in order to do their jobs, are not doing any better than most companies nowadays.

Then, just like now, they are still trying to find the right “stuff” that’s going to save their world if they just buy/lease/license it and install it in a shiny new rack. Now, just like then, we are focused on finding “vulnerabilities” and categorizing them “high, medium, low” (or whatever scale that doesn’t mean anything) in our networks, operating systems and applications. Then, just like now, we can’t tell the difference whether a threat will render our business useless, rob us blind, or just evaporate like a baby hiccup with a faint noise of “FUD”.

I meet a lot of talented young (and old) security people, they are all bright-eyed, bushy-tailed and ready to fight until the last drop of blood over what they were trained/self-taught/researched. And I envy them. I envy the ability to just disconnect, to adapt that tunnel-vision that allows them to dig right in to the utter abyss of a technical challenge. I also meet a lot of people with broad vision of how security should be. They have forgotten the technical mumbo-jumbo the kids are talking about today. “Sea surf? Yeah! I remember surfing when I was a kid…”, “Sequel? Which one? I thought the matrix series was over…”, “But let me tell you about my new world cyber-peace strategy…”. You get the point.

And don’t even get me started on all these certifications that everyone goes after. The sad fact is, these things have kept us back from thinking differently. They boxed us into whatever the course/certification/training is trying to cram into us on a technical level, and basically leave it at that. It created a 400 pound gorilla of money sucking industry without really giving us back any more talent. Most of my friends in the industry have some kind of certification (or two, or ten), but I still call them friends not because the number of certs they have on their business card, but because I know they don’t really need these certs to be professional security people.

What I’m still struggling with is the middle. I have always been looking for the middle (even as a kid – “your son is about average, but he’s got great potential” was a recurring parent-meeting slogan through all my school years). The middle which have built itself over the foundations of technical research, got their hands dirty in pen-tests, trying out new products, breaking stuff left and right, losing once in a while to get their bearings right. The middle who didn’t get blinded by a new management position, and kept relatively up-to-date on what’s going on. The middle who didn’t skip last year’s DefCon/BlackHat/Shmoocon/[your-favorite-con] talk because he thought it was some passing fad (and didn’t want to admit that it’s just too darn complicated for them to get into new stuff). The middle who took up looking at how the business works. From the numbers, through the sales, operations, tech-support, client meetings, competition and the board-room decisions. We forgot that this middle is our only chance to make progress, because this middle can translate the latest threat to numbers. Numbers that not only the CIO/IT guy can understand, but the CFO, the accountant, the COO and the order fulfillment guys can understand. The real impact on the business. With numbers, with a strategy on how (if ever) to address it, with an understanding that it might not be the latest and greatest gizmo that we need here, but something much simpler. An old solution, a tweak here and there – in a product, or a business operation. A quick chat with the procurement department on how they process stuff, or a change in the way that the sales organization works in the field when they run off to customers and meet the competition.

I find myself trying to fit in the middle too many times. I’ll admit it – I didn’t think of a middle back when I started getting paid for breaking things, but I saw the middle. I haven’t figured out the right terminology until 6 or 7 years ago for this middle. But darn it! (imagine what I held back until now…) I like that middle, and unfortunately (or fortunately as my accountant would say) we are still bad at filling that middle. We still haven’t bridged the gaps between the techies and senior management (I’m obviously generalizing, but look at your average F-100 company – you’ll get it…). Between the millions of dollars we spend on the wrong things, and the vague strategies we build on top of them to fend off auditors and boardroom questions.

Let’s get the good guys from both sides back to the middle. Let’s get the techies some business training, dress ‘em up nice and give them the tour. Let’s send our CxO’s to DefCon for a refresher on how things are done these days. There’s no shame in learning. If I find a day in which I didn’t have a chance to learn something new – technical, financial, political, strategy or disassembly, I feel wrong. Let’s justify our overpriced salaries and really make something out of it. We were used to be paid to think outside the box, and all we did since we started getting paid is to paint the box in crayons.

Break the box. Down to it’s nails and planks. See what makes it tick. Reassemble, open, get out, close it, and think how to make it better.

p.s. – what’s with the parenthesis you ask? well, that’s just how I like to write, and besides – it leaves room to put things in the middle 😉

Vista Sidebar Vulnerability

Or how a contact may get too close for comfort… It’s finally here. August 14th, and we are finally in liberty to talk about the vulnerability in the Vista Sidebar Contacts Widget.

As you may or may not know – when we presented “The Inherent Insecurity of Widgets and Gadgets” a few days ago at DefCon, we were unable to show a Vista vulnerable widget (5 out of 6 demos is pretty good though…), and presented a “censored” video as a teaser. The reason was that the security bulletin from Microsoft was only scheduled for the 14th (after several delays starting from an initial update scheduled for April…).

Interestingly enough – the severity as noted in the MS Security Bulletin is only “Important” rather than the critical that remote code execution usually means (maybe because the fix is just a one-liner???).

Either way – it out there, and we are proud to be helpful to the security community by providing alerts so that vendors can fix problems that affect the security on the internet. You can see the full uncensored video that shows how simple it is to get full remote code execution with these things below.