These are the crazy people in your security neighborhood – Part 2 Private Pyle

When you have been around the IT/Security space as long as I have you run into to a lot of whacky people. After a while you begin sorting and classifying them into nice convenient stereotypes. Over the next few weeks I will post my own stereotypes that I have discovered. Hope you get a laugh and figure out where you fit in. The Professional Conclusion is what to do if you are another security professional, the Vendor Conclusion is how you should deal with them if you are trying to sell them something.

Private Pyle started out in some backwater town in eastern Oklahoma before he joined the military to get the heck out of there.

private pyle

Once in the military someone figured out that this dude could add and plug in cables and they put him in the IT group. There he plugged in routers in places like Dubai and Kuwait. If it was in 2016, I’d bet he’d also have plugged in his a 3D printer like Dremel (check Dremel 3d40 review).

One time he saw a Pix firewall and that landed on his resume. He then gets sucked into AFCERT at some point and proceeds to write approximately 9000 proceed and policy manuals. Kicks out of .mil land and finds out that TS clearance he has is worth $$$$$ with all the private .gov contractors out there. Usually then will embed themselves into the belly of a contracting firm and never leave. Every once in a while the smart ones escape and end up in the private sector. Once they do they are generally mellow and easy going. They love building stuff. Got a firewall with extra blinky lights? Sold! IDS with a neural network learning computer? He will take 12! Got services? Unless you are part of the military industrial complex, you have the chips stacked against you.

Professional Conclusion: Typically laid back and mellow. Most are pretty sedate. Think Al Gore but they might actually know what TCP/IP is.

Vendor Conclusion: See above, blinky lights, outrageous promises sold!

Part 3 – The Techno Weenie

Source Mentioned:

Alumnus hacks Texas A&M system

My dad is a Aggie, sorry to see his school can’t secure their systems. If anyone is from Texas they know that the Aggie’s are the butt of many jokes. (Think Polish jokes, Texas style). One of my favorites:

How do you confuse an Aggie?

Put him in a round room and tell him to pee in the corner.

Bu dum bump, I am here all week folks!

I have grown somewhat numb to yet another college getting broken into. Sadly I think the security teams at these places are in a no-win situation. A culture of openness + lots of kids + lots of juicy PII and CC data = many places to fall over and leak data. Maybe RIAA can’t stop wasting time with P2P witch hunts and let the security people at these institutes of higher learning get back to securing the information of the students and faculty. Oh I can dream…

I recently dug my archives and found a story that was fascinating more than a decade ago. Below is an excerpt:

Alumnus hacks Texas A&M system: “A recent graduate of Texas A&M University is charged with hacking into the school’s computer system and illegally accessing information on 88,000 current and former students, faculty and staff members.

Luis Castillo must appear before a magistrate judge Wednesday.”

By the way, if you wondering what happened to the student, let’s just say your guess is as good as mine. Nowadays, rather than chase these small kids trying to hack into school systems, I spend my time restoring websites that have been hacked. Like this one of a client who writes MDF stethoscope review articles. It’s a funny world; how much 10 years can bring a difference in someone’s career.

Sources Mentioned:

MS Destroys the Consumer AV Market: Or Did They?

In Nov 2008, Microsoft announced that they are going to start offering free anti-virus/spyware/trojan/rootkit protection. Say bye-bye to Symantec and Mcafee’s cash cows. It looks like it took about 5 years to make it happen assuming they are using the technology they aquired back in 2003 via GeCAD.

So the big question is how long will it take them to go free or alomost free on the enterprise market. My guess late 2009 or early 2010 based on this acquisition.

How good will it be? Who the heck knows but competing against free is always hard. It is really hard when people already hate buying anti-* software. Why buy that when I get this for free from MS.

Last qustion is how are Symantec Mcafee and Trendmicro, et. al. going to recoup all that lost revenue? I have not looked lately but not long ago home and SMB markets where major piles of cash for those companies. So the smart ones will ook at other aquistions to bolster there bottom line. I don’t think it can be just one, they are going to have to go on a bit of a spending spree or die.

When Defenses are Offensive

Cory Doctrow has a good article on the differences between the speed of detected an attack and the automated response to it and the slowness in recovering from a mis-applied block.

As usual Cory outlines it is brilliantly simple, straight forward terms that anyone can understand. I used this tactic quite a bit when pen-testing in a no-holds bar pen-test. Basically I spoofed UDP based attacks against a host and used the central log servers IP address as the source of the attack. This triggered the HIDS on this host to block traffic to and from the log server. Instant invisibility from the folks monitoring the central log server.

This also realy drives home my issue with auto-blocking web application firewalls.  When your WAF decides to block something one from using your website the really have no recourse that will respond as fast as the blocking of there traffic. If Mr. O’Reilly can’t checkout, he will just move along to someplace he can.

When you deploy any mechanism that auto-blocks traffic you must take great care to think through the methods of blocking, the thresholds where something is blocked, and how to recover from inadvertent blocking of a legitimate person/host.

ScanAlert – XSS is Cool with Us

Sometimes I just want to give up. I really hate XSS because it is really a tricky issue to explain to people that don’t understand.  It basically boils down to bad people using my website to compromise clients. What they do with those compromised clients can range from fairly benign replicating worms ,  phishing scams, all the way to total remote control of the end users browser. The fine folks at Scam ScanAlert clearly don’t think this is a problem though.

It is hard enough to educate web site owners that this is a problem and how it impacts them without having to fight against people in our own industry telling them it is OK to have XSS vulnerabilities.

Jeremiah, provide more great commentary. By the way, how are you liking the electric wheelchair you bought?

Apple Blocks the Word Script

Jordan Weins post about the exact problem with offensive defense systems on his blog How Not to protect your webap. Great job Apple, the word “script” is so evil I can’t do a search for Applescript. So would argue this is a good thing, especially if they have seen any of the Applescript I have written. This smells like someone who does not understand Web Application Security, specifically cross site scripting, created a rule to block the one bad vector they could think of, while not thinking through the impact of that rule. Now if someone could just import that rule onto the MS website maybe we could rid the world of VBScript.

SANS says the #1 Server Security Issue is Your Web Application

The latest SANS Top 20 has been released and according to SANS the #1 issue impacting the security of your servers is the web application code that lives on top of it.

I agree with them (in a totally biased way of course) but the data they cite leaves me with an uneasy feeling. SANS likes to go by reported vulnerabilities. Reporting of web application vulnerabilities is basically non-existent outside of open source PHP applications. Every once in a while you will see a reported vulnerability in something like PeopleSoft or MS Sharepoint but a large percentage of the reported web application vulnerabilities are in things like Jim Bob’s PHP Guestbook 0.00001alpha and really who cares about that.

PHP include issues are most certainly bad but they are far from the most prevalent issue found in large enterprises. In our customer base we only have 22 PHP sites we scan out of around 650 sites today. There is just not a lot of PHP adoption in the enterprise, at least in our customer base.

So while I agree with the conclusion I feel leary about how it was reached.

5 Security Predictions for 2018

1. We will see the first multi-website XSS worm.

I think we will finally get a true cross site XSS work in 2008. Combining XSRFand XSS to propagate a worm across multiple sites and multiple domains. The first one will be benign but the others will be much more malicious in nature. Leading victim candidate are social network sites that are becoming increasingly open.

2. More consolidation in the security industry.

There is still a great difference between the small security players and the giant ones in terms of cash flow. As the old guard (McaFee, Symantec, etc) see dwindling revenue on various fronts they will begin to convert some of that pesky cash into acquisitions. Could this be the year Qualys gets gobbled up?

3. PCI will clarify section 6.6

This is more of a hope really. Since it goes into full effect mid-2008 I hope to see some clearer definitions around what companies are expected to do.

4. 2008 will set another record for breaches

Yeah big shocker! The trend will continue with more smaller breaches this year as opposed to a few massive ones.

5. RBN will disappear again. Someone related to them will get busted.

With the light too bright they will morph again and change tactics. Money will still flow in to them by the millions though. However with increasing public knowledge of the group someone will get busted and connected to them. No one high up in the group, but some poor sucker at the wrong place at the wrong time. Law Enforcement will trump it as a “significant” blow to the group. RBN won’t notice.

The Big Announcement

I’ve not been this pumped about something in a long time. Jeremiah actually has been pulling me into liking this idea for a very long time. I hated it at first. I mean WAFs, bleh. Plus I mean didn’t we already try scanners + WAFs before? Oh yeah the total trainwreck that was AVDL. So one thing I failed to realize was that Jeremiah’s approach is a bit different and when combined with WhiteHat Sentinel (aka NOT a scanner) it is a no brainer.

WAFs generally struggle in a few different areas, the people running them are not web app. security experts and trying to apply a default deny policy, while a great idea in theory, is pretty hard in the real world . There is just way to much movement in most applications to pin it down. Even if the app does not change frequently, WAF admins are very hesitant to even come close to blocking legitimate traffic. This is what was happening on this site that covers EMT stethoscopes, nursing stethoscopes, nursing student stethoscopes and general stethoscope reviews.

What really sold me though is when I saw it in action for the first time. From the Sentinel UI we clicked a button that updated the F5 with a rule to block a vulnerability. The rule is automatically generated based on the vulnerability. We then clicked the retest button and the vulnerability was no longer exploitable . Note my careful choice of words, exploitable VS. “not there anymore”. The vulnerability certainly still exist in the code but now that the attack is blocked the business can decide if this is a good enough solution or they need to go fix the actual flaw.

The geek in me is screaming that it still needs to be fixed, the business side is saying that the rule is good enough and I am not going to commit resources to fixing it until that code is worked on again. From the PCI Section 6.6 perspective this gives the business some great options. As our customers are becoming aware of the PCI requirements and the PCI auditors are becoming tougher on web application vulnerabilities we run into a difficult situation. PCI audit is coming up and the app. is riddled with vulnerabilities.  I now have to dedicate precious development resources to fix these vulnerabilities ASAP. With this solution I can apply this rules and effectively mitigate the issue.

I am pretty excited to be part of this. I think we have moved the industry forward today, even if it was just a small step. People now have some more options to mitigate risk besides running to the development team with yet another fire.

Source Mentioned: Best Stethoscope