Dirty Little Secrets of IA

(Information Assurance)

Why we might not be doing as

good as you would hope…
Bruce Potter (gdead@shmoo.com)

SecurityGeeks I
 Administrivia
• What is SecurityGeeks?
– Part learning, part information exchange, part social…
• How often should we meet?
– Once a month?
• Topics? Format?
• Future location ideas?
• List Charter?
• More questions?

SecurityGeeks I
 ShmooCon Pimpin’
• Tix are on sale (sorta)
– More to go on sale Jan 1, Feb 1
• CFP still open
– Though we have a lot of submissions in already… if
you’re thinking of submitting, do so soon
• ShmooCon Labs
– A limited set of folks that will set up the network and
learn from experts (apply now)
• Hacker Arcade
• Hack or Halo

SecurityGeeks I
 Don’t Believe Anything I Say
• "Do not believe in anything simply because you have heard it. Do not believe in
anything simply because it is spoken and rumored by many. Do not believe in
anything simply because it is found written in your religious books. Do not believe
in anything merely on the authority of your teachers and elders. Do not believe in
traditions because they have been handed down for many generations. But after
observation and analysis, when you find that anything agrees with reason and is
conducive to the good and benefit of one and all, then accept it and live up to it.” -
Buddha
• Information Assurance is all about not trusting what you are hearing, seeing, or
being sent to you
• By Day, Senior Associate for Booz Allen Hamilton
– Focusing on IC
– Wireless Security, application assurance, information security strategy
• By Night, Founder of The Shmoo Group and restorer of hopeless Swedish cars
– Anyone know what a Volvo 1800 is?

SecurityGeeks I
IT Security Needs Pyramid

Sophistication and Operational Cost

Honeypots

IDS

Software
ACLs
Sec
Firewalls Auth / Auth

Patch Mgt Op. Procedures

SecurityGeeks I
Secret #1 - We’re not gaining on the
• attackers
For the last 4 decades, information assurance
professionals have been attempting to solve the
same problem In f o S e c H is t o r y - N u t s h e lll
“Another major problem is the fact that there are
growing pressures to interlink separate but
related computer systems into increasingly
complex networks
“Underlying most current users’ problems is the
fact that contemporary commercially available
hardware and operating systems do no provide
adequate support for computer security T o ta l
“In addition to the experience of accidental p r o b le m
disclosure, there has also been a number of
successful penetrations of systems where the
security was ‘added on’ or claimed from fixing
all known bugs in the operating system. The W hat
success of the penetrations, for the most part, w e 'v e
has resulted from the inability of the system to
adequately isolate a malicious user, and from s o lv e d
inadequate access control mechanisms built
into the operating system”
• Computer Security Technology Planning Study
- October 1972, Electronic Systems Division,
Air Force

SecurityGeeks I
 Current InfoSec Trends
• Anti-virus, Intrusion Detection, and Strong
passwords
– Defense in Depth… aka: layer enough protection
mechanisms on, and something will stop the bad guys (is
this a good idea?)
– Microsoft is the root of all security evils (is this true?)
– Most of the threat against your systems are from script
kiddies who have more guts than brains (is this still the
case?)
• All these ideas are geared toward a threat model
that existed 10 years ago
– Lets look at attackers today

SecurityGeeks I
The “Open Source” Model of Security
Research
• Only in the last 15 years has public discussions of
Information Security issues come into vogue
– From obscure geeky bulletin boards to the front page of the NY
Times…
• InfoSec is not really a science yet
– Crypto is “math”. InfoSec is much, much more
• Because of the specialized knowledge required, and the
lack of a formal body of knowledge, a community has
grown
– Information on vulnerability research methods, specific
vulnerability information and live exploits were publicly discussed
– The idea of “responsible disclosure” was born (and debated at
length)
– But things have changed…

SecurityGeeks I
 Secret #2 - Existing Security
Products are Becoming Obsolete
• Firewalls and IDS’s were created for a different threat model
– They are probably still necessary but no where near sufficient
– At a recent conference, CIO’s where ask if they would notice if their
firewall and IDS logs went away, and most said “no”.
– IDS’s are best geared toward policy monitoring and enforcement
• Host based security is becoming increasingly important
– Lost laptops aren’t just a problem for the VA
– Much easier to find attacks at the endpoints than in the infrastructure…
cept for all the noise
– With the mobile workforce, laptops are often outside the sphere of
protection of the enterprise security architectures
• Anomaly detecting systems are also a wave of the future
– But statistical analysis if a single dimension of data may be a better bet
than multiple data source correlation or some manner of AI-based system
• How do we secure SOA-based systems?

SecurityGeeks I
 Secret #3 - Having trusted hardware can
completely change the face of information
assurance
– Secure cryptographic operations
– Secure key storage
– Integrity attestation
• By some accounts, can ultimately rid us of the problems of
malware, viruses, etc..
– Trusted boot -> signed kernel -> signed drivers ->signed apps
– Signed does not mean “secure” but it at least means “what I
intended”
• Why is now (finally) the time for trusted computing?

SecurityGeeks I
 Guess what? DRM is Cool
• According to a recent survey, iPods are
cooler than beer QuickTimeª and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
• Apple made DRM sexy and cool
– The iPod begat ITMS
– ITMS was made possible because Apple came
up with a rights management scheme that the
content providers could deal with at a $1 a pop
– In Feb 2006, the 1 billionth song was QuickTimeª and a
TIFF (Uncompressed) decompressor
are needed to see this picture.

downloaded from ITMS

– 1 billion songs means people things ITMS is cool
– Through transitivity, Apple made DRM cool or
• What does Apple have to do with Trusted
Hardware? QuickTimeª and a
TIFF (Uncompressed) decom
are needed to see this pic

SecurityGeeks I
 Funny You Should Ask
• Apple just made trusted hardware sexy and cool (And you
didn’t even realize)
• Enter the MacBook Pro
– When Apple switched to Intel, the developed Rosetta… an emulator
that dynamically translates PPC opcodes to x86
– Apple is using the TPM to protect Rosetta from starting unless the
TPM is there
– Ensures Apple proprietary SW only runs on Apple HW
– Maxxuss repeatedly bypassed this protection

Legacy App
PPC Rosetta Translated Intel
App to x86 Processor

TPM
SecurityGeeks I
 IA Trend - Trusted Hardware
• Many other vendors also working to integrate trusted
hardware
• A variety of impacts on field operations
– Can make decryption of encrypted data VERY difficult
– Can make compromising a target’s computer more difficult
– Provides security throughout the network, not just at a system
level.. This is FANTASTIC for device authentication
– Trusted Network Connect
– Key management is not just for strong crypto anymore
• More info: http://www.trustedcomputing.org/

QuickTimeª and a
TIFF (Uncompressed) decompressor
are needed to see this picture.

SecurityGeeks I
 Secret #4 - Decreased exploit development timeframe and
mercenary exploit dev are empowering the individual attackers
• Patches have two major uses
– Secure a system that has a known vulnerability
– Determine what vulnerability was patched in order to develop an exploit

Vuln Patch Exploit High Risk for Large Scale and Majority
Disc. Rel. Rel. Highly Targeted Attacks Patched

VulnerabIlIty Timeline
• In the last several years, there has been an incredible decrease in the amount of
time between patch release and creation of a successful exploit
– Microsoft’s Patch Tuesday has been great for both attackers and defenders alike
– The moral? Patch disclosure is essentially the same as vulnerability disclosure
• Many security companies now offer money in exchange for exclusive rights to
exploits from mercenary exploit developers
– Tipping Point’s Zero Day Initiative (ZDI)
– iDefense’s Vulnerability Contributor Program (VCP)
– Etc…
– These programs have “rewards” programs, as well as other incentives…
– This has TOTALLY changed the “full disclosure” argument

SecurityGeeks I
 Secret #5 - For Operational Security,
Microsoft may be your best bet
• Operational security is just as much about scalability, monitorability, and
manageability as it is about the technical “security” of the product
– MS got it wrong for a LONG time… it allowed a HUGE industry to develop around it
that provided security products to the consumer and enterprise
– Also, other operating systems were viewed as “more secure” for a variety of reasons
• But now MS has spent more money on security than many countries spend on IT
– Even if they get most of it wrong, they’re moving in the right direction… They’re talking
about MLS by ‘10
• Unlike OSS, with MS, you have a product roadmap, you have a coherent
integration of many business apps, you have security woven through the entire
OS and application layers, AND you have a patch process that basically makes
sense
• Ultimately, the premise has changed… while before the security vendors knew
security better, now MS does
– Causing obvious problems with 64-bit Vista
• http://www.shmoo.com/~gdead/ for more info on operational security and MS

SecurityGeeks I
 Secret #6 What is the best
mechanism for finding attackers in
your networks?

SecurityGeeks I
 QuickTimeª and a
TIFF (Uncompressed) decompressor
are needed to see this picture.

SecurityGeeks I
 Administrators are the first responders
• … they should be armed as such…
• Networks are dynamic critters. The systems and network
administrators know them better than any monitoring software will
– For networks without administrators (sensor nets, local networks in
airframes, etc) specific monitoring procedures need to be developed. But
these networks tend to be closed systems with easily profilable behaviors.
• What gets one off (dangerous) attackers caught?
– Bandwidth increases
– Running out of disk space
– Patches not applying properly
– Change management failures
– CRAZY syslog entries (huge binary blobs in syslog entries, for instance)
– In summary… things sysadmins and NOC operators will notice. Hard for
automated systems to recognize whether these are security issues or not

SecurityGeeks I
Secret #7: Most organizations don’t have
staff dedicated to monitoring the security
of their networks and systems
• What works for securing DoD may never work for
anyone else
– Just like how MS deals with software security may not
work for anyone else
– 800 lbs gorillas are not good examples
• You’re lucky to find staff dedicated to security
configuration, let alone security monitoring

SecurityGeeks I
 Secret #8: There are several proactive
detective mechanisms that work without
breaking the bank or your staff
• Host integrity monitoring
– Looking for changes in the end hosts, esp in system directories
can be very successful
• Network services monitoring
– Scanning internal networks looking for open ports will at least find
new TCP services… great for change management control as well
• Monitoring defacement archives and other open source
locations for your assets
– If the Internet knows you’re p0wned, shouldn’t you?

• If you don’t get these right… why do more?

SecurityGeeks I
Questions?

SecurityGeeks I