Each spring, the MIS Training Institute hosts InfoSec World, an educational event that brings information security practitioners together to learn from each other. This year, volcanic fallout prevented a few participants from making the trek. But those who attended were treated to detail-rich sessions about today's biggest security threats.
Early arrivals exchanged war stories at Sunday's CISO Executive Summit, where speakers from eBay, BT, Tyco, and UnitedHealth discussed business risks and strategies, from breach prevention and regulatory compliance to the security implications of cloud computing and social networking. As the week wound to a close, cloud security fans got down-and-dirty with VMware, desktop virtualization, and virtual pen-testing at the Summit on Secure Virtualization and Cloud Computing.
In between were a bevy of sessions and workshops, highlighted by daily keynotes. On Monday, Jeff Jonas, Chief Scientist at IBM Entity Analytics, described how new technologies are changing our lives, personally and professionally. As social and business communications merge, information about us is increasingly co-mingled, raising privacy concerns and profoundly impacting information security.
On Tuesday, Bruce Schneier, Chief Security Technology Officer at BT, elaborated with his take on data collection, privacy, and the generation gap. Specifically, Schneier argued that humanity has evolved into a complex socio-technical system where everything that we do generates data, and privacy means exerting control over data.
Privacy in the information age
"Data is a byproduct of the information society," said Schneier. Transaction records are created for purchases, tolls, calls even benign little IM or SMS chats. "Disks are cheap, searching is easy, so we might as well save everything," said Schneier. "We're all leaving digital footprints everywhere we go."
This data is being recorded because it has considerable potential market value. Take the ad-based revenue models employed by search engines and social networking sites. "You are not Google's customer," said Schneier. "You are Google's product, which they sell to their [advertising] customers."
Baby boomers may find wholesale surveillance troubling. But today's young are accustomed to living their lives in public. Unfortunately, those old transactions aren't going to fade away like memories. "Our species works well because we forget stuff," he said. "It will be considerably less fun when our writings at 14 are still available at 40."
Schneier argued that data is really the pollution generated by the information society. In this environment, privacy is not about maintaining secrecy it's about exerting control. "We regularly tell people secrets about ourselves," he said. "But it's all about context we may not want our photos from Facebook showing up at our next job interview."
To that end, Schneier argued that comprehensive privacy laws are needed to consistently govern broad data collection, primary and secondary data uses, individual control over data, and processes for erasure. "Laws determine what's legal. Corporations largely determine what options we have. We can only choose from those options," he says.
Fight back against Web 2.0 hacks
Over 50 sessions were presented over three days, running the gamut from security standards and laws to incident response and IT audit. Sessions varied in depth, but all were delivered by security practitioners, and many were accompanied by demos.
For example, Blueinfy founder Shreeraj Shah illustrated dozens of Web 2.0 attacks in his session on the worst Web vulnerabilities of 2010. Web app vulnerabilities continue to plague us, said Shah, but they have evolved along with technology. Today's most pernicious attacks are aimed at the newest platforms, from Ajax, Silverlight, and Flash to SOAP, HTML 5, and cloud APIs.
Part of the problem is functionality migrating into client-side components. "An attacker can analyze Flash [or Silverlight] files to find your business layer rules," said Shah. The best way to defeat these, said Shah, is to keep business logic on the server-side.
Cross-site scripting (XSS) is still the top client-side culprit, but new variations are taking hold. XSS attacks are surfacing in RSS feeds, mashups, and widgets/gadgets that use DOM (Document Object Model) sharing to deliver content that may contain exploits. Although these vectors may be new, defenses like input validation and source code review are not. Web app developers just need to think about receiving and processing content in different ways, at different times, from third-party/untrusted components.
Lock down your VPN
In his SSL VPN attack and defenses session, Mike Zusman, principal consultant with the Intrepidus Group, lobbied for rigorous consumer testing of products. Many enterprises have migrated from IPsec to SSL VPN to simplify client deployment and use, said Zusman. But SSL itself is no silver bullet, and those who deploy SSL VPNs must be on the lookout for flaws.
To illustrate, Zusman enumerated recent SSL flaws, including Kaminsky DNS server bugs, rogue SSL cert generation bugs, extended validation SSL rebinding exploits, and last month's Live.com Webmail hacks. "Some say these SSL attacks are just theoretical," said Zusman. "But maybe that means your controls are only theoretical, as well."
Many SSL VPNs now incorporate numerous complex moving parts, from URL transformation to reverse proxies and tunneling. Given these components, one can guess where vulnerabilities may lie. For example, every SSL VPN includes at least one Web application. Not surprisingly, a few have been found to harbor XSS bugs.
"But the really nasty vulnerabilities are on the client side," warned Zusman. To illustrate, he demonstrated one SSL VPN's ActiveX control, which could be exploited to open a shell on the client. The flaw: failure to properly authenticate downloaded updates.
Companies that use SSL VPNs must be aware of these pitfalls, said Zusman. "Use standard tests (like input validation) to make sure that your VPN's Web apps are robust," he said. "Use fuzzing on your SSL VPN's reverse proxy, manipulate URLs to validate your blacklists or whitelists, and disable old weak protocol options like SSLv2."
On the client side, fuzz ActiveX controls with tools like COMRaider and Dranzer. Exercise certificate validation using self-signed certs and test for man-in-the-middle vulnerabilities. Vendors should do this during QA, but Zusman said that many IT groups are now required to test all new products for vulnerabilities including SSL VPNs.
Step up to IPv6 safely
In his session on IPv6 threats, Dennis Allen, Cyber Training Team Leader at CERT/SEI/CMU, introduced the Internet protocol and address changes that all security professionals will soon need to know.
Like it or not, the Internet as we know it is changing. IPv6 is already creeping into many networks, often as a consequence of new device deployment. For example, Allen demonstrated how Windows 7 hosts listen by default to auto-generated IPv6 addresses. Hosts in your network may have IPv6-related exposures even if you haven't formally migrated to IPv6.
IPv6 includes a new (simplified) packet header, a new (longer, more complex) addressing scheme, a new ICMPv6 protocol (replacing ICMPv4), and new Neighbor and Multicast Discovery protocols (replacing ARP). Some initial security exposures may result from basic configuration mistakes and lack of IPv6 awareness.
Most of what we already know about network security threats and defenses does not change with IPv6, said Allen. Sniffing, VLAN hopping, IP spoofing, malware, and social engineering will all still be relevant. But Allen also described new threats and best practices that IPv6 admins should heed the following:
- IPv6 site-local and unique-local addresses inside private networks
- IPv6 privacy addressing to deter multicast ping scans
- secure use of IPv6 ND and MD resolution protocols
- IPv6 address auto-configuration anti-DoS measures
- IPsec, 802.1X, etc, to stop NS/NA and RS/RA spoofing
- IPv6 egress filters (including v4/v6 tunneling protocols).
More about IPv6 security can be found at CERT's training site.
Fight fire with forensics
Many sessions recommended strategies, best practices, and tools for vulnerability assessment, attack defense, incident response, or security audit. One standing-room-only session on advanced cybercrime countermeasures was presented by Alex Cox, a security researcher at NetWitness. "Criminals are jumping on the zero-day of the week," said Cox. "Forty percent of hosts are compromised and, if you've looked at blacklists, those systems are everywhere."
Unfortunately, traditional defenses have not evolved sufficiently to neutralize today's well-funded cybercrime threats, said Cox. Firewalls may block a lot but attackers just ride permitted ports and protocols. Intrusion detections systems use signatures which attackers bypass using obfuscation techniques. Anti-malware updates are often days or weeks behind lagging so far behind that detection often implies a signature update, not an outbreak. "Successful infiltration probably happened long ago," said Cox.
To address these limitations, Cox recommended that every organization create a SWAT team to continuously track and rapidly respond to emerging cyber-threats. He also recommended deploying signature controls in conjunction with behavioral controls and proactive patching of OS, network, and application vulnerabilities.
But don't stop there, he said. Use malware analysis to examine suspicious code. For example, use Virus Total to scan any submitted file with over a dozen anti-malware engines. Or examine what malware actually does by running it in an online sandbox like Anubis, CwSandbox, or Threat Expert.
Unfortunately, attackers also use these to refine malware to elude detection. So what else can you do? Cox observed that back-end or "second stage" systems often lead to the same place a download server, a command and control server, or a common domain. "Identifying these common points and patterns can be 100 percent effective," said Cox.
Doing so involves network forensicsc--capture, recording, and analysis of network events to discover the source of security attacks. For example, capture and save all traffic obtained from a strategically-located span port. Cox demonstrated how to sift through capture files using a free version of NetWitness Investigator. With this approach, he pivoted through a capture, quickly identifying Waladec and Zeus symptoms.
So many sessions, so little time
Ultimately, one person can only absorb a handful of sessions at InfoSec World. We could only offer a small sampler of this year's event here, but readers interested in learning more should check out the InfoSec World 2010 Website.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.