Monthly Archives: August 2007

Aged Old Code

pic_large21yearold.jpg Old wine or whisky can become more complex and interesting. Old code becomes insecure:
Or at least become more vulnerable. I’ve recently been helping a client with their secure coding initiative and as a result I’ve been reading Mike Howard and Dave LeBlanc’s Writing Secure Code which reminded me of an important aspect of maintaining a secure code base which often gets overlooked: That is that as code ages it becomes insecure.

Evolve or Die, by arthur, Emergent Chaos, August 29, 2007 at 7:47 AM

The state of the art in discovering vulnerabilities advances. I remember when nobody worried much about buffer overflows. Related to that, programs get used in environments they weren’t written for. Who really cared about buffer overflows on the early Internet when just getting it working for a few researchers was the goal? Related to that, the number of people motivated to break code keeps increasing, especially those with monetary motivation. With enough eyes are bugs are shallow also means with enough eyes all vulnerabilities become easy to find. Or, in this postmodern world, even computer programs are largely what people perceive them to be, and those perceptions change.

For example, Jeff Pulver perceives Facebook’s video messages as videophone. How long before somebody perceives it as a phishing method? Where there’s humans there’s humint.

-jsq

Outrage at Outrage Management

outrage.png
management.png

So we were discussing Peter Sandman’s recommendations for outrage management, which mostly have to do with how to deal with management not doing something that you’ve given them rational reasons to do, because of some emotional resistance or other. The opposite problem also occurs: they believe you; they just don’t care. Then you could use some outrage.

Alex brings up two good points in the previous comments:

I’m afraid that outside of usefulness in those communications channels, I just would hesitate to use the term "Outrage". For example, creating "Outrage" metrics sounds like you’re working in hollywood publicity for Paris Hilton, not protecting business assets. :)

Yes, exactly, it’s usefulness in these communications channels, that is, with management, that emotion, up to and including outrage, has to be used and managed.

Continue reading

Non-Asymmetric Malware

<~~T.A.Z~~>

Most exploits through the Internet have been relatively small guys (individuals, gangs, etc.) against big companies and governments. Yet they’re already using botnets to leverage their activity. What happens when botnets start connecting with other botnets via wireless?

Consider the following scenarios:

  • malware infected PCs actually opening a WiFi connection in a port-knocking nature to the wireless botnet master only
  • no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable population around a given region in the age of malware geolocating IPs using commercial services
  • once a PC gets infected inside an organization, it can automatically turn into a wardriving zombie exposing vulnerable WiFi connections within
  • Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the range of the infected host

Distributed WiFi Scanning Through Malware, by Dancho Danchev, @ Friday, August 24, 2007

It already wasn’t clear which side the asymmetry favored, since the bad guys use the full leverage of the Internet and the defenders mostly don’t. Now the bad guys can leverage the leverage of the Internet by also using local wireless connections to further interconnect.

Did we need more proof that there’s no such thing as a perimeter to fortify anymore?

-jsq

Outrage: Less and More

danrather0207.jpg We’ve been discussing Outrage Considered Useful. Alex remarked in a comment:

The term "Outrage" suggests that risk cannot or should not be discussed in a rational manner.

What I think Sandman is getting at is that often risk isn’t discussed in a rational manner, because managers’ (and security people’s) egos, fears, ambitions, etc. get in the way. In a perfect Platonic world perhaps things wouldn’t be that way, but in this one, people don’t operate by reason alone, even when  they think they are doing so.

Outrage x Hazard may be a means to express risk within the context of the organization, but I like probability of loss event x probable magnitude of loss better for quantitative analysis.

Indeed, quantitative analysis is good. However, once you’ve got that analysis, you still have to sell it to management. And there’s the rub: that last part is going to require dealing with emotion.

Continue reading

Skype and Windows Update

skype_logo.png So, Windows update: Skype outage cause or smokescreen?

Apparently both:

The disruption was caused by a routine Windows patch update distributed Tuesday that required users to restart their computers. When a large number of Skype subscribers began logging back in around the same time, the requests – combined with the day’s traffic patterns – began overwhelming the system, revealing a bug in the software that normally helps the system allocate resources and “self heal.”

“Skype has now identified and already introduced a number of improvements to its software to ensure that our users will not be similarly affected in the unlikely possibility of this combination of events recurring,” Skype spokesman Villu Arak said.

Skype reveals outage source, tells customers it won’t happen again, Ryan Kim, San Francisco Chronicle Staff Writer, Tuesday, August 21, 2007

So we seem to have here a combination of hazards tripping each other.

This does raise the more general question of what other bugs are synchronized Windows updates exercising? And how long before such a Windows update installs a vulnerability that immediately gets exploited? And how long before such updates themselves do cause massive outages? In software monoculture, Windows may be its own boll weevil.

-jsq

Brass Leaks

usacio.png We already observed that military information security is a bit of an oxymoron and over in Peerflow that the U.S. military thinks its soldiers in Iraq are likely leaks.

Well, it turns out that:

For years, members of the military brass have been warning that soldiers’ blogs could pose a security threat by leaking sensitive wartime information. But a series of online audits, conducted by the Army, suggests that official Defense Department websites post far more potentially-harmful than blogs do.

Army Audits: Official Sites, Not Blogs, Breach Security, By Noah Shachtman, Danger Room, August 17, 2007, 12:29:00 PM

Is there a psychologist in the house? Is the military blaming it’s own incompetent leaks on the troops projection, or is it just plain old CYA?

I’m pretty sure hiding this report until the EFF filed a FOI lawsuit to get it is CYA.

I don’t think it’s good risk management for the troops, or the Iraqis, or even for the brass.

-jsq

Click Fraud Network

ContentNetworks.jpg Here’s another company detecting effects of botnets:
The Click Fraud Index™ monitors and reports on data gathered from the Click Fraud Network™, which more than 4,000 online advertisers and their agencies have joined. The Network provides statistically significant pay-per-click data collected from online advertising campaigns for both large and small companies.

“We’re not surprised to see the industry average click fraud rate climb this quarter as a result of botnet activity,” said Robert Hansen, CEO of SecTheory and one of the industry’s leading experts in online security threats. “Our clients are well aware that botnet activity is on the rise and that botnets are being used for a variety of online fraud activities, including click fraud.”

ClickFraudNetwork accessed 16 August 2007

They claim the country originating the most click fraud is France, followed by China. However, it would be more useful to show which ISPs are originating most click fraud, i.e., which ones are most infested by botnets. Countries are too big and too slow to have much of a chance of doing something about this. ISPs can.

-jsq

Outrage Considered Useful

peter_sandman.jpg There’s a bit of comment discussion going on in Metricon Slides, and Viewed as PR about counting vs. selling, in which the major point of agreement seems to be that even at a metrics conference there weren’t a lot of metrics presented that were strategic and business-like.

Let’s assume for a moment that we have such metrics, and listen to Peter Sandman, whose website motto is Risk = Hazard + Outrage:

Sometimes, of course, senior management is as determined as you are to take safety seriously. And sometimes when it’s not, its reservations are sound: The risk is smaller than you’re claiming, or the evidence is weak, or the precautions are untested or too expensive. But what’s going on when a senior manager nixes your risk reduction recommendation even though you can prove that it’s cost-effective, a good business decision? Assume the boss isn’t too stupid to get it. If the evidence clearly supports the precautions you’re urging, and the boss isn’t dumb, why might the boss nonetheless have trouble assessing the evidence properly?

As a rule, when smart people act stupid, something emotional is usually getting in the way. I use the term “outrage” for the various emotion-laden factors that influence how we see risk. Whether or not a risk is actually dangerous, for example, we are all likely to react strongly if the risk is unfamiliar and unfair, and if the people behind it are untrustworthy and unresponsive. Factors like these, not the technical risk data, pretty much determine our response. Risk perception researchers can list the “outrage factors” that make people get upset about a risk even if it’s not very serious.

The Boss’s Outrage (Part I): Talking with Top Management about Safety by Peter M. Sandman, The Peter Sandman Risk Communication Web Site, 7 January 2007

He goes on to outline several reasons management might get upset.

Continue reading

Brooklyn Tornado

brooklynnytransit.jpg

How soon they forget:

It wasn’t just the tornado in Brooklyn — the first in recorded history in the borough — it was the huge quantities of rain that flooded basements and stranded rail and road commuters from Mineola to Midtown.

End of the world as we know it? By Carl Macgowan, Newsday, 10:51 PM EDT, August 8, 2007

Sounds kind of like "who could have predicted it?"

Continue reading

Metricon Slides, and Viewed as PR

comedytragedy.jpg The slides from MetriCon 2.0 are all posted now. Many good talks in there; I’ll probably comment on some more of them later.

One of the most interesting aspects was to see those with business experience try to explain to those who said "Just tell me what to count!" that counting isn’t enough. If you want business managers and executives and board to pay attention, you need to say what your counts mean.

Chatting with attendees, it became clear some of them interpreted that latter as a call to make up numbers to match whatever you wanted to sell to management. Far from it. The point is to abstract your numbers and to describe them in terms of what they mean to the business.

Continue reading