Wait! Read this blog before you spend any money on security.

Do you really understand the true risk to your sensitive data and critical systems? If not, it’s time for you to do a little soul searching and find the answers to some really important questions, such as “What really matters to my organization from a security perspective?” And, “Where are we failing to secure our critical assets?”  Given the inability of most organizations to apply adequate time and/or budget to simultaneously tackle every potential security issue, you really need to answer these questions so that you can identify and address your truly critical concerns first.  I’ve seen too many organizations run around in circles trying to secure the next items on their radar – an approach that more often than not turns out poorly.

Here’s what I recommend: use risk to determine the priority of your security initiatives. Take a systematic and effective approach to your security program by first understanding the business drivers in each of the business units. Don’t know where to start? Ask yourself, “How does this unit make money?” Although a bit simplistic, this is a great place to start. From here you should be able to identify mission-critical assets – those are the assets required by the critical systems you just identified.

Once you have identified critical systems and assets, you now know what to protect, but from whom? And what? Categorize and determine the capabilities of the most likely threats you have to these critical systems and assets. Then, determine the vulnerabilities you have in your existing security controls and identify the effort required to exploit these vulnerabilities. Then, start tackling the risks that could most significantly impact your enterprise. Sound like a lot? In all truthfulness, a risk-based approach – especially if legal and regulatory requirements are a concern- is the most efficient way to gain accurate visibility into your current state of compliance and identify what steps are required to mitigate gaps. And, if you need help, check out our new Information Security Risk Assessment service.

Once you’re headed down this path, it is natural to wonder if you have too much or too little security and if you’ll know either way. And that’s great – at least you are considering both ends and that means balance. It is important to understand that critical systems and sensitive data are not the only assets of your company – so is money and time. There is such a thing as too much security. The spending of resources on security improvements should be limited by the value their implementation brings to the protection of other assets (capped by asset value).

You should put enough effort into security to reduce the real, validated risk to an acceptable amount. When security efforts are a hindrance to your business processes beyond the value of what is being protected, your company has too much security in place.

I’ve just thrown a lot at you so let me give you a good rule of thumb. When you start worrying more about how much you are spending on security than you are about your assets being compromised, then you are spending too much. If you are still worried about the protection of your assets over security spending, you have put in too little.  Re-evaluate, re-address and re-implement.

Have you been taking the right approach? Can you demonstrate that to management?

Doug Landoll
Practice Director – Risk and Compliance Management

Consider the potential thought process of the IT professional who is challenged with managing security for his or her organization’s computer infrastructure: “What did those 30,000 systems cost anyway? How much more will it cost for software licensing, tech support and hardware upgrades every couple of years? And, to add insult to injury, apparently one user’s long lost uncle in Nigeria sent some XP antivirus for only $59.99, which has now infected my entire network. Who needs this? Why can’t we just get out of the computer business and save a few bucks along with my sanity? If our employees choose to chat away on Skype all day and let the Twitter world know the latest sandwich available at Joe’s Deli for lunch, then let them do it on their own computer hardware! We could save a lot of money, get rid of the real security threat, and then enjoy the latest episode of Dr. Who with our new found free time…”

Is the idea of taking an organization’s environment mobile such a silly thought? A far flung fantasy? Perhaps surprisingly, not as much as one would think. Certainly, the thought process above is a bit exaggerated. People don’t really watch Dr. Who. But – organizations are considering this transition. Recently, Accuvant was approached by a client with this very type of request. We were asked what it means to lose the workstation, to leave workers to their own devices, to place the users on the outside of the kingdom. What are the security risks? What are the security savings?

What is more profound is the frequency in which these types of requests are beginning to materialize. Embattled with their perceived state of security, the ever-increasing cost of system management, an inability to achieve a reasonable level of control and grandeur dreams of slashing overhead costs and reducing risk levels, it is easy to understand why many organizations would consider throwing up a white flag and letting the castle gates down. Corporate America, awash with data centers that are due for a refresh and upgrade in the near term, are tantalized at the prospect of redefining the definition of “security at the edge”.  

So, what’s an executive tasked with the protection of information supposed to do?  Retreat to the inner core of the network and build a wall around the prized corporate jewels?  Legions of employees, even those inside the corporate office, would join the ranks of roaming mobile warriors with remote authentication tunneled through controlled entries, unprotected by the prized perimeter security strategy and treated like the savages of the unmonitored Internet to which they are relegated.  All this, as a result of simply wanting to achieve lower operating costs and increased security control; greater visibility and scalability that can be achieved with a minimal infliction of pain.  

How far can this idea go? Do we even need a network? Wasn’t ubiquitous computing the solution? Clearly, some of our clients believe so. They are dissolving the perimeter, packing up, sending user applications to the cloud, and moving their valuables to the collocation data centers. They are going to divest themselves of the end point as an asset and replace it with a comprehensive NAC strategy that enforces corporate standards and policy.

On top of that, is it possible to have our cake and eat it too, i.e., a secure work environment layered on top of an uncontrolled desktop environment? Virtualization presents such an opportunity. No longer does a physical machine have to map directly to the job. Although the segregation of a network into distinct zones defined by the required security controls and sensitivity levels is nothing new, access to basic functions and services such as web browsing, email and standard applications can be provided on a low-risk network while activity critical to those business functions that handle critical data are contained on a highly secured controlled network. The virtual machine is defined as a secure environment sharing data across its own encrypted private network isolated from the system on which it sits.

Of course, this leaves us with a system that must be configured as such. Didn’t we just try to get away from this problem? So how do we create a dual environment without managing the system it sits on? We take classic security controls, a preconfigured work environment with the applications and data needed, apply policies, monitoring and auditing as needed. Then, you lock it all down, encrypt the whole mess, toss it on a portable drive, and make it boot. Some call it a “system on a stick”, where access is given to those in the need in a form that goes everywhere. Controlled centrally, the physical device is no longer a risk or cost for the organization. To the controlled environment, it always looks the same regardless of where in the world it travels. Loss and theft of a drive becomes irrelevant and relegated to a cost of the device rather than a loss of critical data with native encryption. Even business partners who need access to certain forms of data can be issued devices with their own sets of policies and controls. The need to allow data to leave the protected castle becomes a thing of the past, bringing those with the need inside rather than let that which is needed out.

As I mentioned previously, this concept is nothing new. Centralized server environments with virtualized desktops already exist and serve their function quite well. There is, of course, the cost of centralized hardware and pipes large enough to handle LA traffic during rush hour. Offloading the operating system to a USB drive allows for the use of cheap common hardware for computing power and only the bandwidth needed to serve data located centrally.

So USB drives with isolated encrypted virtualized operating systems and critical data centrally stored and controlled. Does it work? Does it stink? Please do tell. What am I missing? Any war stories to share? We would love to hear.

Chris Morales
Accuvant Solutions Engineer

We are often asked by customers about the relative value of implementing WIPS (Wireless Intrusion Prevention/Protection Systems) in their enterprise network environments either to support a “no wireless” policy or to augment a WLAN solution and add an additional layer of protection. It seems a lot of people equate this kind of system with the wired IPS (Intrusion Prevention/Protection Systems) they may have implemented or looked at in their networks and make a judgment call on the value of implementing something similar on the wireless side. My viewpoint is somewhat different in that I see WIPS as being necessary not only for protection against wireless attacks, but also as being one of the best ways to monitor the health and performance of a wireless network. Recent market analysis done by firms such as Gartner also came to the same conclusion, they see the WIPS market as not only being about mitigating security problems but also about managing the performance and in some cases helping to isolate problems organizations are facing on the WLAN.

There are two basic architectures used by WIPS systems. First is the overlay architecture. This uses specialized access points that are deployed throughout the enterprise in order to provide ubiquitous WIPS coverage and triangulate any place that wireless attacks might come from while also monitoring the wireless infrastructure. Being highly specialized like this gives a great deal more information as to what’s going on in the wireless network. The second architecture that is used is the time-slicing or you could also say integrated architecture. This approach uses regular AP’s which are deployed and serving WLAN clients and for a few milliseconds take a ‘slice’ of time to scan for wireless attacks and to monitor the wireless network.

There are costs and benefits to both of these architectures in WLAN design. For the overlay architecture there is the obvious cost up front of purchasing additional specialized access points to cover the entire RF footprint of the enterprise. There are also several benefits to this architecture, first the ability of the overlay architecture to constantly monitor and if necessary to mitigate attacks and rogues in the network gives it a big advantage. The vendors that have this kind of architecture usually are able to see in much more detail the performance of the radio spectrum that is in use as well and this gives them an advantage in being able to identify when there is interference or other performance problems with the WLAN. The downside to this is that it requires more knowledge on the part of the wireless engineer who is managing the network to be able to identify why the performance is suffering or where the wireless attack could be attempting to exploit a weakness in the WLAN network. This complexity can also be difficult for someone who has to work with many other technologies outside of wireless. Overlay WIPS architectures are also commonly used to enforce a no-wireless policy that an enterprise may have because they do not allow any clients to connect and do not provide network access.

The time slicing or integrated architecture has the advantage that it can utilize existing AP’s that are deployed in the enterprise WLAN. This lowers substantially the cost of a WIPS deployment, especially where the main thrust of the deployment is to assist in client monitoring and rogue detection. As this architecture is normally integrated into the WLAN architecture, the management tools used are also usually a part of that WLAN’s management system. This gives the wireless engineer less tools to learn and potentially a more streamlined way of monitoring and being notified of problems with the WLAN. The downside to this is that as the AP is doing dual jobs, monitoring the network as well as servicing clients, it may end up in a situation where it does neither job very well. The basic operation of this kind of architecture is to spend part of the AP’s time servicing clients and part scanning the network for problems. In the case of voice or video usage in the WLAN a very big factor in them operating well is the latency of the connection. When the AP has to stop and spend part of its time to do a scan, then it will by its very nature introduce latency to the network and affect those protocols. When the AP is scanning there is a problem in that it may miss a wireless attack or network performance problem as it was not scanning but servicing clients when the attack started and also there is a problem where it cannot constantly try to mitigate the attack as it has to go back to servicing clients.

I would encourage strongly anyone who is thinking about implementing a WLAN in their enterprise to consider the benefits of a WIPS solution. As WLAN technologies mature and become relied on by your employees to do their jobs, being able to properly monitor and manage the performance of the WLAN also becomes critical to the business. WLAN’s have become much more secure in recent years with the adoption of standards such as AES encryption and 802.1X authentication for clients, but there continues to be a challenge in properly managing and preventing attacks on the wireless infrastructure. I would also suggest that the overlay architecture will provide the best value for situations where the WLAN is critical for business processes. There are vendors in the market now with overlay systems that are easy to setup and use and also vendors that provide a large set of additional features and enhanced functionality that will enable someone who needs complete control to monitor every aspect of their WLAN.

Chris Lyttle
Principal Wireless Security Consultant – Accuvant

I was recently asked by a reporter, “Is the trend towards comprehensive security suites a positive development, or does Accuvant prefer to assemble a solution from various best-of-breed products?” Personally, I don’t think this question can be easily answered, nor do I necessarily agree that the trend exists, at least to any greater extent than it has over the past ten years.

When making a decision between competing products – assuming there were no considerations beyond which technology performs best, solves the problem or enables the business most efficiently – then a ‘best-of-breed’ approach would clearly be preferred over a product suite. In fact, that approach is Accuvant’s preference when presented with a ‘perfect world’ scenario. However, we don’t live in a perfect world. If we did, John Elway would be getting ready to lead the Denver Broncos to a record 15^th straight Super Bowl victory, and he is not. In this world, we need to consider things like budget constraints, technology interoperability, training investments and the New England Patriots.

While I don’t think an organization’s security strategy should be dictated by cost considerations, there is a tendency towards overkill in the technology sector, especially in our space. Time and again, we’ve seen ant-sized problems that dozens of manufacturer salespeople are ready to sell a sledgehammer, a trebuchet or an ICBM, with the only question being which color trebuchet is best suited. (Of course, I am not referring to any of Accuvant’s partner reps here, all of whom are saintly.)

Instead, I am presupposing that a best-of-breed approach is more costly than the adoption of a product suite, which I think is safe. What I’m not saying, however, is that individual point solutions in a suite are inferior technologies to those offered by independent, focused, niche players. In fact, even when that is the case, it is usually short-lived as larger companies – the big fish – acquire the innovators – the small fish – and incorporate them into their solution suites. Data leak prevention (DLP) technology provides a great example of this dynamic, as demonstrated by the flurry of acquisitions over the past few years.

DLP also offers an example of other factors that an organization must weigh when making a technology decision. If we assume – solely for the sake of argument – that all DLP solutions are equally capable and that they all cost the same amount, then it is safe to say that the client’s decision will be based on its relationships or the investment it has made in the “big fish” company. If the client has made a significant investment in EMC and RSA, for example, then the RSA DLP solution will likely win based on its interoperability with other EMC/RSA products, the client’s (IT staff) knowledge of RSA solutions, and probably even volume pricing arrangements in place with EMC/RSA. Again, I am not saying all DLP products are the same, but I do not think an organization would be well-served by comparing DLP products without considering how each DLP product fits into the manufacturer’s solution suite.

To sum up, I think there is a place for both a best-of-breed and a product suite approach. I also think a good reseller partner should take the time to understand its client’s needs, be knowledgeable and current on manufacturers’ products, consider the advantages and disadvantages of both approaches, and only then arrive at and offer the best possible solution. “Is the trend towards comprehensive security suites a positive development, or does Accuvant prefer to assemble a solution from various best-of-breed products?” Yes, absolutely.

Dan Wilson
VP Partner Alliances

Tags: best-of-breed products, security suite

I visit lots of customer sites each year and see many security-related commonalities amongst them. At the top of this list, from a network security perspective is the lack of attention paid to enterprise patch management and enterprise configuration management. 

For better or for worse, Microsoft has taught the industry to patch once a month. But, most of Microsoft’s patches released on this monthly cycle deal only with the various Microsoft Operating Systems and fail to address vulnerabilities in primary or secondary applications or services such as Exchange, SharePoint, IIS, etc. Due to this type of release cycle, and a lack of self education on the part of the administration staff, many organizations are failing to effectively patch the technologies and applications that lie on top of their Operating Systems, such as Oracle databases and desktop applications like Adobe Acrobat. Without a comprehensive patch management program, organizations continue to have significant gaps in their security based on missing patches. 

Honestly, enterprise patch management doesn’t have to be a problem.  Just recently, Microsoft released their new patch management solution, which provided better flexibility to manage patches at the desktop and secondary application level. Additionally, there have been solutions available on the market that enable organizations to effectively maintain operating system patches for not only Windows but other operating systems such as Linux and Unix, as well as primary and secondary functioning applications like SQL servers, MS Office and the various Adobe products. Some even go as far as providing better support for pushing antivirus updates. Many of these solutions also provide the capabilities companies need to maintain consistent hardware configuration settings. 

Just as enterprise patch management is a fixable issue, so is network enterprise configuration management. From a hardening procedure standpoint, organizations spend a lot of time creating their standard system build image and forget to come back and update that image on a regular basis.  A solution that was effective six to 12 months ago will not be effective today, and it will leave a network vulnerable. Standards change and the Internet is not static. Therefore, it’s important for companies to pay attention to ongoing maintenance of standards and policies and make ongoing changes as appropriate. 

As you can see, when it comes to network security the people and processes are just as important as the technology – maybe even more so. I strongly believe that the biggest potential mistake administrators and/or companies can make is not educating their users.

 The majority of recent attacks faced by Twitter and Google are directly targeting the employees and users of corporate networks. Companies that haven’t taught their users the basics of what to avoid can pretty much assume they’re going to get infected by the next big infestation/attack, especially when you couple that with legacy technologies like Internet Explorer 6 as the standard browser they are required to use. Providing ongoing user awareness training and seminars that include real world examples and scenarios is the best way to educate users on their requirements to help keep the environment as secure as possible. 

Companies also need to focus more on using the right resources for the right initiatives. A common mistake that I’ve seen over the past two years happens when an organization buys a Web Application Firewall (WAF) and leverages network operations personnel to implement and maintain the system. Unfortunately they will find out the hard way that they are using the wrong resources. A WAF requires detailed knowledge of the Web environment and application infrastructure, which many network operational professionals do not have. Based on a strong understanding of Web applications, an application level professional or developer would be a better choice for ongoing maintenance of this type of technology – at least from a policy and technology enforcement perspective.

I’d love to hear about the changes your company has made to harden network security. Let me know!

Jim Broome
Director – Accuvant LABS

Tags: OS, WAFs

Last year, during the 2009 Black Hat event in Las Vegas, two security professionals presented research about the possibility of SMS attacks across a GSM network. Since that time, the frequency of inquires from our clients about how to protect the enterprise from mobile-based attacks has increased. Although we personally have not seen mobile malware attacks “in the wild” and think mobile attacks will be a relatively low priority for attackers for this year – we do believe that the concerns about enterprise management of cell phones in the corporate environment are legitimate for a couple of reasons.

Back in the late ‘90’s, many companies standardized on BlackBerrys. This meant that network and security folks only had to worry about one mobile operating system and a single enterprise management system to control device encryption, antivirus and malware detection. But things have changed. Employees are now buying (and using) Windows Mobile, Palm, Apple, Symbian, Android and whatever other types of phones and operating systems that they want. With the various operating systems, it can be extremely difficult for companies to manage and secure all of the disparate mobile devices found in their environment.  This has made the conditions ripe for a multitude of different mobile device attacks.

For instance, hackers sometimes impersonate carriers and send SMS and MMS messages to users’ phones. The hackers provide hyperlinks and ask for account information under the guise that they’re planning to activate new services. When victims click on the links, they can download malware that can expose personal data, including emails, contact lists and calendars.  Compounding this issue is the myriad of apps folks put on their phones, which makes the probability that they willingly download an infected file much greater because their ability to determine its validity is limited.

Bluetooth, because it offers a more open delivery system, also is being leveraged to attack smartphones. For example, a hacker could walk by or stand in close proximity to unsuspecting users (somewhere within 10 to 30 meters), and use Bluetooth to send viruses or browse any unencrypted personal data. Most phones and Bluetooth headsets are configured to use a default password – and many users never change this password. This type of attack is becoming increasingly common in hot spots such as restaurants, hotels and airports.

I know … it’s all very interesting, but why should you care? The reason: viruses on mobile devices provide an often-undetectable entry point into corporate networks. As soon as employees sync their phones with their laptops or desktops, they’re introducing viruses, malware and bots back into the corporate network.

Fortunately, there are measures you can take to protect your users and your company.  For example, you can install software on corporate mobile devices that detects when someone is trying to attack using an MMS message or Bluetooth and blocks the attack automatically. There also is software that encrypts mobile device data so that the information cannot be accessed when devices are lost or stolen. And, if the enterprise standardizes on RIM-based smart phones, they can easily enforce “kill pills” – which are designed to kill all the data on mobile devices when they are lost or stolen.

However, mobile security software isn’t a silver bullet. It is important for companies to enforce policies and implement processes for employee use of phones. And, user education is one of the most valuable steps a company can take. It is their responsibility to provide users with as much protection as possible, but it’s also up to the users to know what applications they are using on corporate owned mobile devices and what they’re clicking on, along with who’s contacting them and why.

Matt Bossom 
Accuvant Program Manager – Technology Solutions

Late last week, I read a SearchSecurity.com blog that quoted Caleb Sima as saying, “…developers shouldn’t learn anything about security. It’s not their job.” I felt compelled to write about the piece, not to support or condemn that statement, but rather to encourage people to think about the bigger picture. 

You see, there are a variety of factors that play into what a security program should contain, and every organization is completely different. Security requirements can be influenced by whether a company is public or private, its vertical markets and even its size, among other things. They can also be impacted by the organization’s level of security awareness.  As a result, some companies may have IT departments that include one security-focused resource; others may have entire departments with multiple resources, while some don’t have any security experts on staff at all. This disparity makes it almost impossible to come up with a one-size-fits-all, cookie cutter approach to information security.

So, rather than focus on the development process, which is clearly just one aspect of security, each company really needs to think about how its overall security program should look when it’s mature. The underlying goal is always to define and develop a program that protects the confidentiality, integrity and availability of information assets. This requires taking the appropriate steps to evaluate the organization’s current risk landscape as well as the risk-reducing potential of available solutions.

Using this risk-based approach, companies will be able to see where they fall short when it comes to compliance, including for regulations and standards such as HIPAA, GLBA, and PCI, and mitigate gaps. Organizations will also be better equipped to address their unique risks with measures that are logical, efficient and cost-effective. Furthermore, companies will be in a position to effectively test the integrity of their existing security program so they can see where their current measures are sufficient and where they are not, and then weigh their priorities based on need.

It is not news to anybody that threats are present in every environment and, regardless of the existence of an information security program, incidents can and do occur. However, organizations that invest time and effort into implementing coherent information security practices reduce both the likelihood (probability) and scope of the episode. This translates into an enormous business impact. Failing to entrust data can be very costly, including the direct expenses associated with detecting, halting and repairing compromised systems, as well as the tangential expenses tied to attempting to restore a ruined reputation. There also are penalties for violating state and federal privacy laws under the principles of unfair or deceptive trade practices, and the inherent loss of productivity, which can result in tens of thousands of dollars a day based on loss of email usage alone. The implications – both financial and operational – skyrocket when malware spreads to other aspects of the computing environment such as servers, workstation operating systems, and file shares.

Think about it. Can your organization really afford to focus only on one piece of the puzzle?

Doug Landoll, CISSP, CISA, MBA
Practice Director – Risk & Compliance Management

Last week, NetworkWorld published an article  under the headline “RSA 1024-bit private key encryption cracked.”  RSA encryption was one of the first widely-used asymmetric key algorithms, meaning it used two keys, one public and one private.  A message encrypted with the public key couldn’t be decrypted without the private key, the idea being that your public key would be published so that anybody could encrypt messages with your key and send them to you, and the private key is kept secret so that only you could decrypt and read those messages. 

This asymmetric encryption idea was such a huge improvement over previous shared-secret cryptosystems that it is used in everything from web browsers, where it protects sensitive transactions like online banking and shopping cart checkouts, to cryptoprocessors used in banking mainframes, embedded devices like iPhones and mp3 players, and credit-card sized smart cards like those that protect premium satellite and cable TV content.  The most common use of RSA is probably in web browsers and web servers, with an installed base of more than one billion personal computers.

Given such pervasive use of asymmetric crypto, and RSA’s algorithm in particular, news that 1024-bit private key encryption has been cracked would be alarming indeed.  Fortunately for all the online shoppers out there, this is another example of headline hyperbole.  The article outlines the findings of a paper titled “Fault-based attack of RSA authentication” that describes an attack the authors carried out on an encryption library that implements the RSA algorithm, called the OpenSSL library.  In order to perform the attack, the authors had to tamper with the power supply of the computer they were attacking, lowering the voltage just to the point where the computer would still operate, but occasionally operate incorrectly.

So, the first thing to note is that the thing that was cracked was the OpenSSL library’s version of the RSA algorithm.  The paper did not find any weaknesses in the actual RSA algorithm itself.  And the second point of interest is that the attack required physical access to the power supply of the target system.  For example, to carry out this attack on an online banking server, the attacker would need physical access to the online banking server’s power supply, which means they would need to be inside the bank’s data center.  Given the “wealth” of other targets available to an attacker standing inside of a bank’s data center, theft of the online banking web server private SSL key by a difficult and time-consuming voltage regulation attack seems rather unlikely.

These restrictions make the attack sound like something that is purely theoretical, and not useful in real life.  While it is true that online shopping and banking probably aren’t under much threat from this kind of attack, RSA and related algorithms are used in many other applications.  This kind of attack is most likely to be carried out against systems that are designed to operate in a public environment: smart grid electric meters for example, or consumer electronics devices like iPhones and game consoles – any device with a private key embedded in the hardware that could, if extracted, be used to impersonate the device or card. 

While this kind of attack is most useful against embedded devices, the paper’s author’s claim that one of their contributions with this research is demonstrating that voltage-manipulation fault injection attacks can be applied to larger devices like the microprocessors found in desktop PCs and servers.  The really strange thing about this paper is that while the researchers claim to have implemented the attack on a full-size SPARC/Linux/OpenSSL workstation, the actual hardware was a Xilinx Virtex2Pro FPGA, which was emulating a SPARC CPU, and which the researchers claim is representative of an off-the-shelf commercial embedded device. It seems as if they are trying to have it both ways – i.e. it is an attack against a full-size workstation, and by the way it also is an attack against something you might see in a typical embedded system. (What kind of embedded system would be running Linux on an emulated SPARC on an FPGA?  Maybe an embedded cryptoprocessor or something).

The attack seems to be based on causing short-lived faults in the CPU during one of the RSA signature algorithms used by OpenSSL.  Since this kind of attack has been around for a while, the OpenSSL library actually contains some code to counter it.  According to the paper, the signature is first generated with the private key rather quickly using Chinese Remainder Theorem style multiplication.  Then the signature is checked, using the public key.  If the signature is invalid, the system assumes it was attacked and goes to a slower, but supposedly more attack-resistant signature mechanism, i.e. left-to-right squaring.

According to the paper, the results of the fallback left-to-right squaring RSA signature are not checked before the signature is sent to the other party.  That is probably the bug in OpenSSL.  Because the result isn’t checked, an invalid signature is sent.  The recipient can use these invalid signatures to infer information about the private key and with enough invalid signatures and processing time, the entire private key can be broken.

While the NetworkWorld headline is an exaggeration, the paper itself could probably be summarized in the following three sentences:

1. It is possible to perform fault-based crypto attacks against microprocessor systems, at least when they are implemented in an FPGA.
2. The OpenSSL RSA signature algorithm’s fallback algorithm, left-to-right squaring, is also vulnerable to fault-injection style attacks, even though it was supposedly chosen as the fallback algorithm because of its increased resistance to such attacks.
3. The OpenSSL RSA signature algorithm apparently doesn’t check the result of the fallback algorithm prior to sending signed messages.

The paper does present an attack that might be used to jailbreak the next iPhone or Xbox, or clone satellite TV or cable cards, at least if any of those systems use a vulnerable version of OpenSSL.  However, a more accurate headline might have been “Obscure bug in OpenSSL library poses little risk to consumers.”

Phil Brass
Managing Principal Consultant – Accuvant LABS

A recent article published on the Wall Street Journal online declares a “Broad New Hacking Attack” involving the ‘new’ malware threat, Zeus or zbot.  This threat is far from new, however, neither the malware nor the phenomenon.  In April of 2008, RSA issued an advisory about the threat.  It is simply another dashboard exploiting a different set of vulnerabilities. 

The reality of the situation is that the current security controls in place for many companies are not going to adequately protect against this kind of threat. At a macro level, until industry standards demand rapid patch releases from vendors and corporate policies enforce more timely updates for their users, these botnet armies will continue to grow virtually unchecked. 

Even with corporate patch management programs that enforce strong update policies, it is fundamentally a losing battle to try and stay ahead of the people crafting this malware by patching once a month.   Whether it’s Microsoft’s ‘patch Tuesday’ or Firefox’s semi-monthly security updates, the window of time in between patches leaves attackers too much room to craft new exploits to update the malware with.  Companies are limited by the patches released by vendors and the vendors in turn are limited by the vulnerabilities they are aware of.

In order to further facilitate the production of these patches, stronger incentives should exist for responsible vulnerability disclosure.  Rather than simply relying on community reports or vulnerability leaks, vulnerability disclosure should be rewarded monetarily.  If Microsoft is willing to offer a quarter of a million dollar reward for the arrest of the people that made Conficker, isn’t it reasonable to offer rewards for the responsible disclosure of these vulnerabilities before they reach the massively exploited botnet-army stage?  These patches are only useful, however, if corporate policies enforce regular updates.  It‘s the circle of life. 

There are, obviously, steps that can be taken to mitigate the risk presented by these threats but those are covered in Jim’s post.

Matthew Parcell

Senior Security Consultant – Accuvant LABS

Tags: botnet, Conficker, patches, responsible disclosure

Yesterday, the Wall Street Journal published an article by Siobhan Gorman about hackers in Europe and China who successfully broke into computers at 2,500 companies and agencies over the last 18 months. The hackers used various techniques to infiltrate the corporate networks, including malware, phishing, email attachments, false virus patches and botnets.

A client of ours asked us: “what do you propose we do as an organization?” The answer to this question really revolves around at what point of the infestation/attack they are at.

Not Infested/Attacked Yet – Answer:

Training, Training, Training! The best non-technical way to prevent getting infected is user awareness training and testing/retesting. The majority of the attacks faced by Twitter, Google – and with this round of attacks – are directly targeting the employees and users of your network.   If you haven’t taught your users the basics of what to avoid, you can pretty much assume you are going to get infected by the next big infestation/attack that is going to come around. Providing ongoing user awareness training and seminars that include real world examples and scenarios is the best way to educate your users on their requirements to help you keep your environment as security as possible.

Additionally, if you’re one of the organizations with dynamic content filtering, proxies, IPS, DLP, HIDS, and an enterprise patch management solution, some luck may be on your side. A lot of the ‘ware can be delivered in email, through web applications and most popularly, through PDF, so more than one area of your strategy may need attention if you don’t have the above.   

Darn it , We got it! – Now What Answer:

 So, you’ve gotten infected and need some help cleaning up or figuring out what’s going on.  Here’s where Accuvant can help and the types of services we offer:

1- Emergency Response Level Services:

Time is of the essence. Emergency response services can assist customers with responding, containing and isolating infected systems to start fixing the issue.  These services are designed to get in there fast and start helping the client monitor for points of infestation and possibly kill spreading attacks.  

2- Malware Analysis:

The LABS team has performed these for clients that want detailed analysis of a unique infestation or deliberate events.  In these cases, we do a forensic image of the system and review the binary to try and determine origin and function.  We have performed these services for financial companies, and those that need to know if they are being targeted by industrial espionage or organized crime.

3 – Solutions Optimization

After an event, several clients have asked us to come in and evaluate their current solutions to determine if they have configuration issues or coverage gaps in current technologies.  Essentially, we do a security gap analysis to see what solutions/technologies they are missing, as well and how we can optimize their existing installed solutions. Once the gaps are identified, we can start helping the client find solutions to fill the voids.

After The Dust Settles:

By now, we should have things at least contained and most of the issues have been resolved.  At this point, Accuvant highly recommends going back to step one, user security awareness training,  updating your existing program to include these latest examples and refreshing your users on their responsibilities to helping you keep your environment secure.

Unfortunately, the events that were discussed in the WSJ are ongoing. There is no silver bullet to stop stuff like this from happening, so the best solution is mitigation, prevention and awareness training. Companies need to understand their risk landscape and take steps to appropriately address those risks before they get compromised.

Jim Broome
Director – Accuvant LABS

Tags: awarness training, botnets, information security, malware, risk mitigation