neurotic.ca

Death to SOX IT Sec Compliance?

Tue, 01 Dec 2009 22:22:26 -0500

Very interesting lawsuit developing which challenges the very existence of Sarbanes-Oxley in the US. A summary is available here, courtesy of Secure Channel.

No question the potential outcome here would be a coup de grace for this misplaced and ill-designed security/compliance requirement for scads of US companies. Security vendors will be paying very close attention to this - and I suspect those with lobbyists are already hard at work on a plan of attack.

HFAIT - Shodan

Thu, 26 Nov 2009 15:20:57 -0500

HFAIT - Shodan:

HFAIT?

Click the title link, play around. No longer do you need to spend resources to scan target networks, simply query them through a search engine. Google hacking’s been around for a while, but this is beyond web content.

Want to find vulnerable FTP servers running version xxxx globally? Drop it in, and away you go.

Awesome. It’s one of those lovely double edged swords. Immensely useful tool, and when misused, the bane of defenders and vulnerable corporations everywhere. Job security! Hooray!

HFAIT - NY Yankees Parade Confetti = Your PII!

Mon, 09 Nov 2009 09:56:36 -0500

HFAIT? Well, after cleaning up after the NY Yankees World Series parade - people started finding all sorts of lovely personal information scattered about.

The article is a bit scant on details, but enough that I regret reading this first thing in the morning. No coffee, no breakfast, and now I just feel nauseous.

We see examples of PII and other sensitive information being breached every single day in electronic form. We (security professionals) have a hard enough time preventing lost drives, dumpster diving, stolen laptops, poor coding, and compromised systems. But really? You guys got excited enough to throw fucking boxes of medical records and financial information out the window?

Sweet Christ, use your head!

HFAIT - SSL/TLS Protocol Borked

Fri, 06 Nov 2009 09:17:06 -0500

Fun times hitting the news feeds today.

The IETF has apparently been working on a fix to the SSL protocol for the last 2-3 months in secret, due to a vulnerability disclosed privately which can allow SSL sessions be intercepted and the data within these streams, manipulated. I can has your sensitive data now plz?

Since this is a protocol level flaw, it’s going to affect nearly ever implementation across every OS, version, app and so on. Now that it’s out in the open though, it’ll be months (and in some cases, probably never) before patches are developed, tested, released and then run through every company’s patch management process (for those of you lucky enough to have such a fantastical thing).

Those small embedded devices with SSL interfaces though, may never be patched, and that totally depends on the vendor’s maturity and responsiveness to these sorts of releases. This’ll be one of the flaws that we’ll still find a decade from now in vulnerability assessments.

Happy Friday!

HFAIT - Canadian Bill C-47

Thu, 05 Nov 2009 16:16:00 -0500

HFAIT - Canadian Bill C-47:

How Fucked Am I Today - Bill C-47

A useful analysis of each section of the bill being proposed which is designed to allow RCMP, CSIS and likely lower level law enforcement agencies to require ISPs and other telecommunication service providers access to data transmissions.

Some of the wonderful highlights include:

If it’s encrypted, you have to provide access to the decryption key
If it can be decrypted by the ISP, the ISP must make an effort to do so (unless there is no way)
No court order is necessary, only an order by an ‘authorized person’ (can be a company, govt branch, its open)
The ISP must hand over related personally identifiable information related to these transmissions (who you are, the rest of your docs)
This info can be collected and distributed to other foreign governments or police forces
No specific interval or requirement to report on these orders and activities, nor have Privacy Office oversight
..and it just gets better and better.

An interesting response came from the Canadian Privacy Commissioner with respect to this and one similar bill (C-46). Paraphrasing it a bit here, but: “Fuck you.”

Specifically, these are some of the questions unanswered which law enforcement and surveillance agencies are dodging:

“In specific terms, how is the current regime of judicial authorization not meeting the needs of law enforcement and national security authorities in relation to the Internet? What law enforcement or national security duty justifies access without a warrant by authorities to personal information or preservation of private communication?

Why are some of these powers unrestricted, when the spirit of Canadian law clearly reflects the view that access or seizure without court authorization should be exceptional?

And finally, are the mechanisms for accountability commensurate to the unprecedented powers envisaged?”

Great questions.

While not as bad, it’s eerily similar to the hastily drafted and approved US Patriot Act. That act, has had a whole bunch of fun examples of its misuse and abuse.

Let’s learn from their mistakes and pass on this one.

HFAIT - FBI DCSNet

Tue, 03 Nov 2009 12:51:00 -0500

HFAIT - FBI DCSNet:

HFAIT? Ok, well it’s not just today and it’s been around (and will continue to exist) for some time. Anyway, the US FBI’s wiretapping system is effective, comprehensive and can be used without warrants. Trust No One!

HFAIT? - Browser Bookmarks

Mon, 02 Nov 2009 13:47:00 -0500

HFAIT? - Browser Bookmarks:

How Fucked Am I Today - Web browser bookmarks.

Theoretical vulnerability at this point, but so dirt simple and cheap to exploit that I imagine we’ll be seeing some of this in the next few months, bundled in with other malware distributions.

new sections - "security pirate's guide" and "how fucked am i today?"

Wed, 28 Oct 2009 23:01:45 -0400

two bits of news for tonight!

FIRST!

alright so instead of posting work that other people are doing and commenting/summarizing and otherwise butchering the quality. i’m actually gonna start to write my own stuff! well, i’ll probably also continue to repost that stuff too.

i’ll be naming the series as follows.

the security pirate’s guide to: live incident response, forensics and root cause analysis - how to use native system utilities to isolate and mitigate threats when you don’t have any specialized security technologies to assist you.

..i think the length of the title is what gives it its charm. i never got to write a long academic paper or thesis, so this is about as close as i’ll get.

essentially, this comes from years of having to attempt identification of root cause and attack vectors on compromised systems long after the fact (sometimes, years). when you don’t have a HIDS, NIDS, centralized log server, trusted-state hashes, change history or an understanding of the system’s normal use and operation. the only data you have to work with is what’s been stored on the system and is rightly considered suspect/inadmissable in court and the system tools/binaries already installed can be compromised to mislead or hide system artifacts from further analysis.

it really doesn’t get more disadvantaged to that, unless you’re trying to do this analysis through an OOB interface, such as a KVM with way skewed mouse precision or horrible lag on console input, while fending off a horde of the 28 Days Later type zombies.

unfortunately, this is something i find myself doing far too often. fortunately, i’m pretty decent at it and still able to tell with a high degree of certainty whether the box is rooted and needs to be nuked, then rebuilt, what apps/services were likely exploited, overall damage assessment, and then probably the most valuable - root cause and remedial activities.

anywho. i’ll get to this in the next week.

SECOND!

i’m also going to try and keep this blog steaming fresh with some sort of ‘oh shit’ security exploit/news/research of the moment that has drastic potential to affect, or spells impending doom to those security professionals charged with securing things.

i’m calling this section “how fucked am i today?”. inspired partially by a presentation given at this evening’s TASK talk by Roy Firestein where he reviewed a number of the various wonderful web crimeware kits in distribution today. kinda neat to see the c&c end of the platform, when typically all i’ll see is the damage and botnet infection.

if you haven’t been to TASK and you’re in the Toronto/GTA area, make some time and go. it’s the last wednesday of every month.

CRTC 'rules' on internet neutrality in Canada

Thu, 22 Oct 2009 10:42:15 -0400

CRTC 'rules' on internet neutrality in Canada:

Well, it’s not great, and it’s still vague but it’s a start. ISPs which employ ‘traffic management’ (see: quotas, caps, shaping and throttling) now must notify clients and use fair and reasonable process when deploying this technology.

Report: Web Application Security Statistics 2008-2009

Tue, 20 Oct 2009 12:48:33 -0400

Report: Web Application Security Statistics 2008-2009:

The always insightful WASC security statistics report for all of 2008 has just been released.

The data collected represents combined results of webapp vulnerability assessments from such market leaders as Whitehat, Cenzic, HP and Veracode. In total, 12186 individual sites were sampled.

One thing to consider, the results are gathered from organizations who already have purchased services from these companies. They aren’t cheap, and out of the range for most small-medium businesses. Roughly $7k/assessment from Cenzic. In general, I think it’s safe to imply the results gathered here represent organizations with budget, expertise and formalized SDLCs which require some level of security assessment.

Your average CMS/forum/ecommerce site likely isn’t represented, but from my own experience are all seeing the same kinds of vulnerabilities. XSS, SQL Injection, RFI, etc.

Some FUD-enforcing statistics:

> 13% of webapps can be autohacked completely
~ 49% of webapps contain high risk vulnerabilities which can be automatically detected during scans
~ 80-96% of webapps contain high risk vulnerabilities when inspected manually
99% of webapps are not compliant with the PCI DSS standard
Top 3 vulns: XSS (39%), Information leakage (32%), SQL Injection (7%)

If the big guys with (assumed) more experience, money and formal programs to reduce these risks in their webapps are still struggling to get it right, how do you think everyone else is doing?

Attention is growing to the webapp sec problem, and reports like this really help. Keep up the good work guys.

Video detailing the hijack of the torpig botnet January this...

Sun, 18 Oct 2009 19:40:00 -0400

Video detailing the hijack of the torpig botnet January this year, presented by the UCSB professor leading the university’s seclab - Richard Kemmerer.

I know, it’s old news. Still interesting content if you’re new to botnets, or haven’t kept up on this particular story. Runtime is 1:14hrs

Report: Telus/University of Toronto - Canadian IT Security

Sun, 18 Oct 2009 16:43:35 -0400

Telus and the University of Toronto have teamed up to deliver their second annual ‘Joint Study on Canadian IT Security Practices’.

A few weeks ago, I was invited to the ISACA presentation in Toronto where the authors of this report reviewed the executive summary. I’m still getting through the full report, but so far it’s an incredible wealth of information. I’m really surprised that this isn’t something that’s seen a lot of media attention and I haven’t seen it picked up on any of the major security news feeds or mailing lists.

Anyhow, the full report is available here (free registration required): http://www.telus.com/securitystudy

It’s great to see specific information for IT security in this country. Constant comparisons to US or global surveys isn’t always the best and tends to differ enough from what I’m seeing here, that it’s not always useful for influencing decisions.

A few highlights:

Breaches and annual costs are up; per breach costs are down
Growing threat has rendered most security budgets inadequate
Top performing respondents spent at least 10% of their IT budget on IT security
Application security practices not keeping up with evolving threats

Definitely check this one out. I’d rank its value with that of the annual Verizon Data Breach Investigations Report.

Obligatory introduction

Fri, 09 Oct 2009 11:59:00 -0400

They always start this way. It’s a rule or something.

As some of you may have guessed, this is a blog. Welcome! I’m Erik. I work at a Canadian IT services/hosting company managing everything security. This includes incident response, sales, engineering, compliance, audit, risk management, training and privacy matters. In my spare time I try to change the culture to accept security as something as near and dear to its heart as profit is.

Yeah, it’s an uphill battle, but such is this line of work. You either have to be the kind of person to always cheer for the underdog, love a challenge, and be seriously OCD. I happen to be all three.

Anyhow, my primary intent of this whole blog is to write content that people can learn from and build upon. I’ve spent years leeching information from tens of thousands of email threads, RSS feeds, forums, IRC channels, vendor articles, user groups, government reports and the like. I think it’s long due that I begin adding to this community I love. Hopefully one of these posts helps someone, somewhere. Lord knows, we could use more people with clue and passion.

Enjoy.