How to rescue orcs and spaceships

Hello, my name is Scott, and I'm a gamer. Sometimes it keeps me up way too late at night, but I care about my pretend space ships and the billions of Interstellar Kredits I've earned with them, and I'd be pissed if something happened to them.

A bit nerdy I realize, even for an information security blog, but it's true. There's no way to deny it, I do enjoy my online games. The fact is though I'm far from alone. Millions of people have been getting into one of the many massive multiplayer online games, from World of Warcraft to Second Life, from Lord of the Rings to EVE Online. Millions of people have invested incredible (some would probably say insane) numbers of hours to their wizards, pod pilots, hobbits, and a variety of other characters, constituting a huge investment of both time and money ($15 dollars a month adds up). This has become my motivation as I decided to get my GIAC Certified Incident Handler Gold certification as the focus of my practical.

I've been fascinated by the numerous security exploits in various online games. From EVE Online's database hack to Charlie Miller & Dino Dai Zovi's Second Life exploit it's interesting the unique factors that go into handling attacks in multiplayer online games. On one hand it's very much like a real economy, characters have assets, experience; money of some kind, and yet very much different (you can't exactly roll back a week of financial transactions in the real world).

As a result I've chosen to make my practical for getting my GCIH Gold certificate a study on Incident Handling in online games focused on case studies of actual handling by various game operations teams. Here's my abstract:

While generalized incident handling practices are essential to any system or network they do not always meet the needs of specialized systems. These systems have needs that go above and beyond the usual, and must be handled with unique attention to specific hosts, their functions, interactions, and overall system architecture. However in these specialized systems with similar functions there may be a way to generalize even the specialized requirements.

As massive multiplayer online gaming (MMORPG) continue to grow, through games like World of Warcraft, Second Life, and EVE Online, the amount of money being funneled into them grows as well. Where the money goes so do the criminals and as such online games are increasingly coming to light as targets for malicious attackers. Whether attacking for financial gain or to simply gain the upper hand in gameplay more and more vulnerabilities are being discovered and and exploited in online games.

MMORPGs are unique environments; worlds with their own economies and populations, players with their own experiences and assets, all of which are unique and important to the users who have invested hours upon hours into their virtual personas. This combination and complexity leads to creating vibrant and unique environments that make these games interesting to play, but also create a nightmare tradeoffs in the event that an incident handler must respond to in the event of a compromise.

This leads to a need for unique handling of incidents and thus a unique set of processes to be followed. This does not supersede the generalized handling guidelines, nor could it be completed comprehensive, but there can be a generalized incident handling guidelines for online games, a superset of generalized incident handling guidelines, such as those taught in the SANS 504 course.

To this end I would like to research and develop such a set of specialized handling guidelines, based on the proven general handling techniques from SANS, for consideration of incident handlers working on massive multiplayer online games. These will focus on the unique challenges and options available to handlers in online games, and will be based in large part from case studies of how such incidents have already been handled in current online games. Additionally it will include a survey of major online games, trying to gain as much insight as possible into how they currently structure their handling, in order to add as much real world experience into this effort as possible.

Even though it results in writing a paper and being uber-whitehat I'm kind of excited about writing this paper. Looking at attacking/defending online games is just beginning to get attention. That is somewhat surprising in itself since the online gaming industry is already doing billions in dollars yearly and continues growing. Nothing is quite as much fun as breaking new ground.

So now for you, my readers, I have a request: What are your thoughts and insights, on my abstract for my paper and on the topic in general. I'm very eager to hear what you have to say. Feel free to leave comments, send email (scott.roberts[at]vulnerableminds[dot]com), send a carrier pidgion, I'm interested to hear what you have to say.

Nasty Idea of the Night: Bittorrent "Worm"

It's been awhile, but then again, it's always been awhile, but I digress.

So a nasty idea popped into my head tonight. Imagine attacking a BitTorrent by finding a buffer overflow in the client software and each host compromised checks it's peer list and compromises all those as well? Add extra nasty and have the payload also check for other torrents and send the exploit payload to those as well.

Interesting points:

• Could move incredibly fast.
• Complicated issues with client vulnerabilities vs protocol vulnerabilities. Unlikely to write an attack that works universally. 
• Price the RIAA would pay for such a thing? *What's the keystroke for infinity*
• Tracker vulnerabilities.

Just a random thought. More to come.

Introducing Pulse

Well if you've been doing DNS zone transfers on VulnerableMinds.com then you know, but for the rest of you Pulse has been a mystery. Begun as Project Tango Pulse was meant to do one thing; give you a summarized, quick, complete look at the status of the information security threat landscape. It's a simple concept, but a lacking resource on the Internet.

Pulse came out of my own needs as a threat analyst. Work leaves me with no shortage of projects, research, emails, meetings, and yet the imperative need to have a complete view of what vulnerabilities, exploits, and malcode affecting all platforms. RSS feeds were a good start, but I quickly found myself reading dozens of feeds a day, many filled with useless information. Many I was able to replace or weed out, making it easy to get general news and the opinions, but I still needed more. I still needed information about threats, vulnerabilities and the code to exploit them, but struggled with so many feeds, and I still spent a huge amount of time reading unimportant information.

To this end I decided I needed a tool of my own, something to bring together all these feeds that bring into one place and yet eliminate the chaff, the low threat, the endless mailing list responses; the unnecessary.

The result is Pulse.

Now Pulse is a huge part of my daily workflow. I start my day with it, along with SANS Internet Storm Center and Arbor Networks Atlas portal. I feel that this combination gives me all the information I need to know to be on the "pulse" of the infosec threat landscape. 

I'll quit waxing philosophical about the why's and hows. It's straightforward, but I feel like it meets a need that isn't easily being filled by other services available on the Internet. So take a look, use it, enjoy, and feel free to send me feedback. Pulse isn't done, it's not finished, it's just beginning. To find out more:

• Introduction to Pulse - Presentation
  
• Project Tango Specification - Document

Another iPhone Security Perspective

Alright, I promise, last iPhone post, at least from me.

The fine folks over at Symantec's Security Response group are apparently taking a look at the iPhone from a "Wouldn't it be fun to land malicious code on this" perspective and seem to have more confidence than I did initially (See: iPhone sounds atlot like iPwn), and with good reason. It would seem that Apple hasn't been as caviler with their AJAX/iPhone integration as early reports suggested. For now that seems like good reason, but as the iPhone gets opened up further and further, either by Apple or by intrepid hackers, that may change.

So give the Symantec article a read, and enjoy your iPhone. We'll be coming for it soon...

Bad Reputation vs Bad Assumptions

I was wandering through my blog list today and, by way of the ever enjoyable Observations of a Digitally Enlightened Mind, came across an interesting but, in my opinion, totally unfounded and flawed article related to security.

The article in question is one where PopSci published a list of the 10 Worst Jobs in Science. Many of them are truly awful and I wouldn't wish on my worst enemy. Mind numbingly, stomach turningly bad. It was #6, nearly half way down a terrifying list, that the job in question was described.

Now I've been a Microsoft hater in my day, no question. As a security type person they've been quite the headache at various times, and as an Apple fan I don't really find it an enjoyable system to use. That being said if Microsoft were to track me down and ask if I was interested in a job working with their security teams I'd jump at it. 

Now the article is very correct about one aspect of it. Microsoft does wear a big "Hack Me" sign. It'd be nonstop pandemonium. Attacks at every angle, computer criminals gunning for you every day. If it's not the operating system it's the office suite, if it's not the office suite, it's the browser. There are few pieces of code attacked as aggressively as Microsoft's, it comes with the territory when you dominate the market place in so many genres the way they do. Microsoft should wear that "Hack Me" sign proudly, maybe with a big gold chain (that they can afford) and some bling letters.

So yes, under attack constantly. While I can't speak for anyone else that's exactly why I'd want to work for them, and I think that's perfectly natural. Surgeons may not like people being sick or hurt, but they sure enjoy cutting them open, or so I'm told (by my uncle who is one). It's the same with information security. A week (like the past couple) with few large threats gets dull quickly. Now the week when the ANI attacks came out, that was fun. Would working for Microsoft be easy? Not in the least but rarely do people learn when they're "safe". They don't grow without challenges.

If I wanted easy I'd go be a security guy for a small mom and pop somewhere, nice and safe, with a small number of supported apps, a smaller number of machines, and five users I could personally beat for being stupid. The Microsoft's, Amazon's, Mozilla's, government groups and financials are in the thick of it, defending dozens of complex pieces of software, hundreds of thousands of machines, and billions of dollars. The Internet is a very dangerous place for groups like those and I believe that's the most attractive reason to work for them.

iPhone sounds alot like iPwn

So as a fairly enthusiastic Apple fan I've been getting asked often how excited I am for the iPhone ("Very"), am I going to get one ("prolly sometime in July"), and if I think it will be that great ("I do"). With someone of a basic technology background this is usually followed by some question about applications, SDKs, and if I think Apple will open it up ("I do") to third party development.

My overall take on it? I've had a number of smartphones and aside from making calls I mostly just used the browser. As for other applications after a few that I tried for experimenting I found I rarely used others, just sticking to the basic software that was included, and even that little enough.

As for the iPhone I truly believe that the killer app will be Safari itself, if it's all that Steve has tried to demonstrate it, may or may not, be cracked up to be. I'm not really sure what applications the developers who are attacking Apple for not providing an SDK think they'll create. In the years of Palm/Windows Mobile/Symbian/Blackberry smart phones I've yet to see an app that overwhelms the function of a phone to make calls, text message, and maybe, if you're lucky, get email or browse the web. All of these are functions the iPhone will do out of the box. Even on my MacBook many of the most important things I do, blogging, reading RSS feeds, getting security news, are all things done in the web browser alone. What app are Apple devs just dying for the chance to make?

Now that multi paragraph rant is not to suggest I'm peachy about the whole thing. This is a security blog after all. By not creating an SDK for creating true applications or widgets, and instead relying on Javascript/Ajax (as though you can have one without the other) you lead to a new problem, web pages can have amazing integration with your personal phone. Let me rephrase that: Advanced applications, running from remote servers, with both instructions and data, that's been shown already to have concerning security issues, will be able to run on your iPhone, and have, in some way, access to your address book, iTunes, and the ability to make phone calls. How was this a good idea?

One of the few inherent security mechanisms built into web browsers is that they, to some extent, exist in a sandbox. Most of the time Javascript can't access the OS file system, it can't control applications other than the browser, it can't access system resources, and all those are only most of the time. There are plenty of side effects to current web technology that make a security researcher pull their hair out, and that's all in the sandbox. Billy Hoffman's Shmoocon presentation discussed many of these, from keylogging to his own technique for web scanning using just Javascript and his particular brand of maniacal thought.

It would seem, based on current information, Apple is deliberately adding such features creating a potential security nightmare, deliberately adding the ability for web applications to circumvent the sandbox. So what will happened? XSS attacks that rewrite your Addressbook? A hidden iframe that calls 911 for you? Who knows really, but when "webapps" can access system functions it's hard to imagine it staying innocent. Now it's very possible, and I'm in fact hopeful, that Apple has considered these things and put protections into place, but even so it is easy to suppose that this would be a thin veil of separation, and the possibility for misuse could easily be close to the surface.

For a company like Apple, who so often touts their security record (no I will not digress into a discussion of Safari now (but yeah, wow, 2 code execution vulnerabilities in a day?)), to not aggressively market that aspect makes me wonder how much consideration that aspect of design received. All of this is obviously speculating the worst, but as Apple has messaged little to nothing about the security features of the iPhone, leaving everyone to evaluate what they see. And based on what we see of the iPhone's design what else are security researchers to assume?

Or maybe I'm the only one who is worried about all this.... well, there's also Billy.

Time for a Tango

Well I've had a number of people curious about Project Tango. It's been going for a little over a week now, much of the initial work has been completed, and now I'm in the process of tuning some of the back end pieces for finalization and release.

So at this point I'm asking for some help, and in the process am going to give away a few things about the project, so here ya go:

• Are you a security professional who's an information junkie? Shoot me an email and let me know what you look for in getting your fix. What sites you read, what information you want, what information you don't want, and if you'd be interested in the Tango Beta.
  
• Are you a security professional using RSS to feed your information needs, whether addict level or more of a recreational RSS user? Shoot me an email, pet peeves, wants, information you don't or can't get via RSS, and if you'd be interested in the Tango Beta.
• Are you just really curious about what Project Tango is and want to make a compelling case to get in on the beta? Shoot me an email.
  

All email can be sent to tango.beta@vulnerableminds.com and we'll set you up for an early look at Project Tango.

Project Tango

No, this is not a reference to my favorite partner dance, and only partially an allusion to the common term used by counter terror teams to references subjects. Project Tango is a new initiative of mine that will be coming to the site soon. I'm hoping this will meet a need many already have in a new and innovative way.

This is a new direction for Vulnerable Minds, an experiment if you will, and I look forward to unveiling it. Want a hint as to where? All I'll say is Yahoo Pipes and Google Reader are two great tastes that taste great together.

A Safer Apple Experience per Grandma Roberts

In these days where everyone is getting worked up over OS X vulnerabilities it's somewhat easy to not know quite how to respond. I love my grandmother partially because even though she may not read all the warnings on SANS Internet Storm Center or read John Grubers surprisingly enjoyable and fair interview with Dino Dia Zovi she will email me anything she sees on CNN.com or gets via email about computer security. It's really quite touching and means a lot that she cares enough to take an interest in what I do.

It also throws some things into a different perspective for me. I often ask myself how this, be it a new vulnerability or defensive technology, would impact my grandmother. Now I've heard of this technique used to shift paradigms and gain a better understanding of a technology, but for me it's also protection, since I never know when my next call to Grandma could turn into "So Scott, is my Mac going to get broken into?"

What can I say? My grandma is a proactive person. It puts a lot of pressure on a guy. I'm used to explaining the newest vulnerabilities, exploits, worms, and attack techniques to a cadre of some of the finest information security analysts in the world. I'm used to producing technical write ups that go to highly skilled information security teams all over the world. Explaining how Dino D's exploit will impact my grand mother? Much more complicated. It can't be a "O don't worry, it'll be fine Grandma, I promise." No sir. Last time I tried that was over a printer, and so insistent was my grandmother to get it sorted out herself that I ended up wearing half a cartridge of printer ink. So I have to be prepared if Grandma gets wind of this to not just to explain whats going on and it's impact, but also how grandma can mitigate the issue for herself.

I figure such things might also be useful to the community in general. Perhaps you have a grandparent or parent with a similar iron will and determined interest. Perhaps you're just curious. Here goes.

Scott's Guide to Securing Grandmas Mac:

• Disable the automatic "Open 'Safe' files after download." in Safari.
  
• Disable Java in Safari.
• Turn on the Firewall.
• Stop using the Administrative Account for day to day stuff.
• Use strong passwords on all user accounts.
• Give Keychain a different password than your user password.
  
• Turn on Filevault.
  

There ya go. Thats the basics, as per Scott Roberts and, even though he may not remember it, Timothy Martin. Most of those steps, though very similar to those Dino himself recommended, were pulled from a presentation Tim and I gave as the Security Geniuses for the Penn State Mac Users Group more than two years ago. Oddly enough they're still relevant. Some things never change.

Not enough for you? You want more Mac security goodness? O well I've got that too:

• Want the next step up? Check out Apple's own Tiger Security Config (PDF) for a more in depth look at how to secure OS X.
• Want most of that fun without all the reading? If you know your system well then you can get a lot of automated security goodness out of Bastille for OS X. Jay Beale is a smart cookie.
• Not enough? My my, feeling ambitious, well if you want to lock your OS X down to National Security Agency Standards (something I refer as a Paperweight Lockdown) then check out the NSA's own Security Configuration Guide for OS X.

There ya go. That's four different ways to lock down your Mac. Are they perfect? No, not quite, but as fellow Vulnerable Mind Rolf constantly says "You're only 'secure' in a single moment. Staying secure is a process." Wise words from the Vulnerable Minds elder.

It's the beginning of the rest of the world...

From Errata Security:

"The badass guys at Matasano, namely Dino, just pocketed a cool 10k and a Macbook in the CanSecWest challenge to own a Mac. Tom is right, brace your self for the flood of Mac faithfully posts about why this doesn’t count. I can hear John Gruber tapping away and silent sobbing in the distance."

Yep, guess what, Dino from Matasano Chargren popped a brand new, fully patched MacBook Pro with an 0-day exploit for Apples implimentation of Java exploited through Safari (which is rumored to be vulnerable in Firefox too). Congrats to Dino, and to the rest of the OS X community: Breathe.

Now I'm a big Mac fan. I adore the things. My Mac is the best tool out there for the work I do. As a general computer user and as a security researcher it provides the platform to code, create presentations, work with multiple operating systems, communicate with others, and all the other things I do with a computer. And you know what, I do believe I have to deal with fewer actual instances of malicious code.

Now that is not me saying this doesn't count. It does and everyone needs to acknowledge it. That's not me saying that my Mac is inherently more secure, it is not. Vulnerabilities are errors in how applications are designed and/or implemented. Since Steve J, for all his brilliance, still has people designing and coding the Mac OS, its drivers, its applications, and its hardware that means there will be flaws, mistakes. Just like Windows (NT, XP, or Vista) OS X will experience flaws that can be used maliciously to execute code, corrupt files, and all manner of other things. That's not a new thing since Dino owned that Mac at CanSecWest, that's the way it's always been, and the way it will continue to be.

I take the same stance on this that I've always taken on OS X vulnerabilities. I'm not getting worked up, I'm not changing my habits, I'm not gonna sell my Macbook and get a Thinkpad to put Ubuntu on (though I may keep my Macbook and get a Thinkpad, this one if you're generous, to put Ubuntu on). I'm going to advocate the following things to Mac users:

1. If you're running a Mac, recognize that you don't exist in a bubble of security that can't be popped.
   
2. Be cognizant of what we realized in step 1, and try to learn some good computer use habits.
   
3. Inhale.
4. Exhale.
5. Repeat steps 3 and 4.

Now I have a different set of steps I'm going to advocate to Apple:

1. Get fired up. This was your warning shot, one across the bow. Heed it.
   
2. Double the number of people you're looking to fill the new security jobs available at Apple. Consider tripling it.
   
3. Take a page from Microsoft and become more transparent. Microsoft's security program has an impressive infrastructure for communicating warnings, details, preemptive fixes, and basically how Microsoft is handling things internally to make people safer. Apple has largely kept security information under the radar, releasing patches without saying much more. Time to end that.
4. Another thing to take from Microsoft: build security in from the ground up. The Secure Develoment Lifecycle isn't perfect, but it's a start. Better yet Microsoft has been open about how and what they're doing to secure their software as they build it. Not a bad idea for Apple to develop a program like that, either by creating one, or disclosing the one that they have.
5. Repeat step 5 from the users list.

It's time for everyone, users from John Gruber to my grandmother, and vendors from the Microsoft Mac Business Unit to Apple themselves, to stop believing Macs are inherently secure and start realizing that they are simply, like any other computer, securable.

Followup: Now after discussing this post with a few of the other Minds and like minded folk it may have seemed that I'm suggesting Microsoft has figured security out completely and Apple just needs to copy what Microsoft is doing. I'm not suggesting Microsoft has the answer to creating the ideal operating system security program, just that they're closer than Apple is right now. Microsoft has made many admirable steps (as the nCircle folks seem to agree with me on) and Microsoft should be applauded for doing so. As they say, you eat an elephant one bite at a time. Microsoft seems to be getting that and as for Apple, well, I'm going start working on my own recipe for elephant, but don't wait for me.

Sometimes its better to sleep on it

But no gold star. Reading further information from Microsoft in regards to the current Windows Server DNS RPC vulnerability I read this new post on the Microsoft Security Response Blog: More information on Microsoft Security Advisory 935964. Now I really appreciate Microsoft's efforts at transparency, I really feel it's the Microsoft Security Response Center's best trait, and something other security shops at large companies could learn from.

I was a bit worried though when I read the following line:

"Our teams worked overnight to identify workarounds that could protect customers while we worked on an update."

Now, I really appreciate the efforts, but if you saw the recommendations you might be a bit concerned for the Microsoft Security folks. They lost a whole night of sleep to come up with their remediation actions: 3 different ways to turn the service off and the recommendation that you block the ports (all 3976 of them). Now I realize I'm over simplifying a bit, but not that much.

So yeah add to that all the ANI fun, mostly the whole "working against Vista/IE 7" and maybe my recent faith in Microsoft came a bit too soon. Such is life though, and I'm going back to setting up Win2k3 and it's DNS server with all it's RPC muckiness in VMWare so I'm ready when that PoC goodness drops. Until then I'm gonna spend my day shooting a few of the other Minds. Gonna be a good day.

Introduction to Malware Analysis

From JST at Offensive Computing:

I have a folder (just over 300 megabytes/927 files), which contains a lot of malicious software. I uploaded it in case anybody wants to analyze it, or if anybody from anti-virus companies wants to detect it. A lot of it is already detected, but some of it is detected by some anti-viruses but not detected by others. There are all types of executable files, pif/exe/scr etc and also some .jpg/.zip which are really executable files renamed. There are also some HTML files, but a lot of those can just be ignored. Well I uploaded it all anyway.

The password for the rar file is "malware"
http://www.megaupload.com/?d=KE19T9DI

As someone interested in learning malware analysis this is a treasure trove of potential examples. Theory is great, and I love reading a good book, but having a third of a gig of applications to rip apart and find the nastiness really calls out to my "learn by doing" mindset.

I really enjoy the Offensive Computing site. These folks are really dedicated to what they do and have a ton of resources about their chosen specialization. So give their site a read, download their malware, and send me an email to compare notes.

Week of Vista Bugs a poor April Fools Joke

If you are into the computer security information sphere, and I expect you are if you're reading this blog, then chances are you've heard the whole shouting match over the Week of Vista Bugs and it's following firestorm. The long and short of it: it's a hoax. Game over.

Now this was something vaguely suspected by many, but at the same time it was something everyone in the security community had to approach with at least a guarded curiosity. Most major sites mentioned it, at least in passing, even if with a mention of the fact that it could be less than legitimate. Sadly this was exactly what the social engineers (a term I use with more than a little disdain and I'm not fully sure they deserve even that high of praise) at TWOVB wanted, in an exercise they referred to as "hacking the media" on their revelation page. I'd to into more but I'm disgusted with the whole thing, so I'll let you read for yourself here:

The Week of Vista Bugs: The Truth

SANS Internet Storm Center: Week of Vista Bugs is a Hoax

How to most effectively beat a dead horse...

The trend of Month of Bugs continues unabated. Lets look at the history and get my arm chair analyst commentary:

• Month of Browser Bugs
• Leader: HD Moore
  
• Impact: Effective, highlighted the importance of browser security and pointed out a number of noteworthy flaws in a wide range of browsers including IE, Firefox, Camino, Opera, and Safari.
• Positives: Well researched, well orchestrated, spread over multiple vendors, including some vulnerabilities that affected multiple applications.
• Negatives: Hard to say considering this one set the bar, and many since have fallen short.
  
• Site: http://browserfun.blogspot.com/
  
• Month of Kernel Bugs
• Leader: LMH
  
• Impact: Similar to MoBB. Showed that fuzzable flaws weren't purely things found in "trivial" places like browsers, but in serious places like the lowest levels of operating systems.
  
• Positives: Took on an equally, if not even more, prolific area of system security. Lots of tasty PoC code.
  
• Negatives: I didn't play with many of them myself, but I've been told some of the PoCs were a bit unreliable, not to mention many were not remotely exploitable.
  
• Site: http://kernelfun.blogspot.com/
  
• Month of Apple Bugs
• Leader: LMH and Kevin Finisterre
• Impact: Definitely the dark sheep of the "Month's" the MoAB was littered with issues. While it did expose some flaws on Apple hardware/software it did little to dissuade Mac users from a feeling of invincibility and was taken less than seriously, even by information security types. Also the first "Month" to have a concurrent project providing on the fly patches to each days bugs.
  
• Positives: Had it's sights set on a group that needed to understand their vulnerability and went after a wide spread of Mac software.
  
• Negatives: The spread was too wide. Many of the flaws found were shrugged off by Apple users as "not Apple problems" (See: PDF and VLC). Coupled with the fact that PoC was spotty and nothing was ever released about the crowning "Unspecified Kernel Remote Fun" this was thought by many to have not been worth the hype.
  
• Site: http://projects.info-pull.com/moab/
  
• Month of PHP Bugs
• Leader: Stefan Esser
  
• Impact: At first I thought this would be a joke. Vulerabilities are reported every day in various PHP based applications. What is currently making this so effective is that they're only releasing vulnerabilities in the PHP core, not the poorly written Bullitin Board applications that get reported on daily.
  
• Positives: Focused on the real security problems with PHP, not the low hanging fruit in 3rd party PHP applications.
  
• Negatives: Well... this is where that beating a dead horse comment came from. PHP can seem like the majority of all vulnerabilities reported and it can seem like more PHP vulnerabilities are just overkill. Also no word yet on if fixes will be provided.
  
• Site: http://www.php-security.org/

So what's my final take? Well, there's a place for "Months" but they're only effective if well done. What makes an effective Month? Here ya go:

• Chose a relevant technology and make sure your vulnerabilities affect it, not arbitrary related software. If you say it's Apple vulnerabilities then fuzz iTunes, not VLC.
• Going a long with the last point it's also important to deliver what you promise. If you promise a kernel level vulnerability then it better exploit the kernels. If you promise it's remote then it needs to be remote, not remote if you can social engineer someone to run it with Admin privileges.
• Give us proof of concept code, otherwise it's too easy for everyone to say you're makin' it up.
• If you break it then fix it, or at least find someone who will.
• Be fair to the vendors and be fair to the users. Dropping 30 0-days doesn't help users. Being pushed around by a vendor who doesn't wanna fix their problems doesn't help users either.

All that said I welcome the Month of PHP Bugs. While I'm not a huge fan of PHP it is an important language that makes up many sites that are used daily all over the Internet. Stefan Esser has tried to improve security in every way he can, and for my money he's now responsibly using vulnerability disclosure in a way that will hopefully encourage the PHP team to make their language more secure, and that's better for everyone.

The Early Bird

A recent Information Week article discusses the research efforts of someone near and dear to the thoughts of many Vulnerable Minds contributors: Peng Liu. Dr. Liu taught many of us during our tenure at Penn State, and was also our adviser as we started the Information Assurance club and Security Competition team. Now, he and his colleagues have filed for a patent on a new "worm stopping technology." This new creation from the department of IST "focuses on analyzing packet rate and frequency of connections, rather than signature or pattern identification."

While it is true that I was working with him at the same time as his work on this project, and I did pass on the opportunity to contribute, I still don't know much about the idea and would like to ask some probing questions to gauge community thoughts.

When I was new to the field I once asked, "Why don't we put some type of filter in place that notices a rapid escalation in traffic to or from a particular IP or port and we can stop (D)DoS attacks?" One of the replies I got was that it would quickly overwhelm the filter and we'd be back to square one. My question then is, why does the same principle not apply here? Dr. Liu points out that the Slammer worm sent out 4,000 packets per second. Part of the purpose of a worm is to cause a huge slowdown of the Internet by clogging up the tubes - I imagine these filters would take a serious hit pretty quickly.

Second, a worm does not need to send out an astronomical number of packets in a short amount of time to spread. Granted, it may not spread as quickly, but it will also pass through more quietly. Would a worm that implements this technique fall through the cracks with the new Penn State technology?

Finally, this is an anomaly based detection approach, and given the background of those involved I would guess it is more strict and mathematically based rather than AI-based (although it does mention a degree of intelligence: auto-unblocking mistakenly blocked hosts). Strict anomaly based detection is notoriously unreliable and inaccurate, what makes this any different? How is the baseline for normal established, how is the deviation measured, and perhaps most importantly, how is a "mistakenly blocked host" determined on the fly?

Note that it's not that I disagree with the premise, I'm just conducting a little vetting of the idea and attempting to learn more about it. I'm very glad to see something (perhaps) groundbreaking come from the many tens of thousands of dollars my friends and I gave to that school. Here's to not hearing the last of this. Cheers!

Quick Note

Ivan Krstic is scary smart. That is all.

Forget the watchers: Who will protect the protectors?

So Microsoft has posted what we (Windows related security folks I mean) can expect this coming Tuesday (which I refuse to refer to as super). A grand ol' 12 patches this time, with more than a healthy smattering of critical ones. One caught me off guard:

One Microsoft Security Bulletin affecting Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security for Exchange Server and Microsoft Forefront Security for SharePoint. The highest Maximum Severity rating for these is Critical. These products provide built-in mechanisms for automatic detection and deployment of updates. Some of these updates may require a restart.

Interesting. It shouldn't really come as a surprise I suppose. Software is software, it's all going to have holes, and it's all going to need to be patched. Still, it always seems to make us pause whenever security products are possibly exploitable, like that dream where you suddenly naked. Suddenly, abruptly, you're vulnerable.

This makes Symantec an interesting case study. They had a hole in Symantec Antivirus. Guess what, it happens. They put out a patch when the vulnerability was announced, no exploit really floated to the top, no big deal. That was in the spring. December roles around and all of the sudden we get W32.Spybot.ACYR, a network worm exploiting that flaw in Symantec Antivirus. Why? Because most system administrators were great about updating their virus definitions, but seem to have not bothered to install the patched detection engine. Who ever said security devices were impervious? No one. This is why we deploy defense in depth.

Cisco's dealing with it now and the potential exploits against everything from routers to firewalls and IDS sensors. And now Microsoft is patching the majority of it's security software, including it's security crown jewel, Live OneCare. Many others have happened in the past, and yet still the Symantec worm happened, nearly 6 months later, because the message still hadn't gotten through, even your security software needs to be patched.

Still, I can't help enjoying the irony.

Tell me if I'm too open about this...

So this past Friday I was lucky enough to compete in the 2006 edition of UCSB's iCTF academic information security competition. I can't say I played nearly as much of a part as I would have liked to, as my secret weapon, a culmination of my skill in both attack and defense was 1) not quite completed and 2) not relevant to the way UCSB set up the competition this year, drastically different from most CTFs.

I'm not quite sure yet what I'm going to do with my application. It's really very specialized, only useful in a computer security competition, though I hope it will be both functionally complete and feature complete in time for Defcon, where it might be useful. I think it's going to get integrated into another upcoming project. Anyway this post isn't about that, it's about something else I realized though my work setting up Snort on my iBook.

Why on earth does the OSX firewall force you to open the firewall to access ports on the localhost? To run Snort, using MySQL for my back end database and the BASE package for my user interface I needed to connect to ports 80/tcp and 3306/tcp. Now that makes sense, to connect to localhost:80 to see my BASE setup (running PHP in Apache) while both Snort and BASE connect to 3306/tcp to get to MySQL. Now those connections make sense, but the fact that I have to open my firewall to access these ports is ludicrous.

Now I don't know all the inner workings of ipfw but this doesn't seem necessary, but simply laziness on the part of Apple. It wouldn't have been hard to set up the rules in such a way that the localhost connection would be available, but not allow connections from outside hosts. I know many people who would make use of this, such as the multitude of web devs I know, and it seems ridiculous that this hasn't been implemented. There are many conceivable reasons for needing port based services without running a server that needs to be publicly accessible. Is this really too difficult or too much to ask for?

There are many things that can be done to reduce the risk to security, but by far the largest in my mind is simply reducing the attack surface of a given system. This often means minimizing access and exposure by limiting a system to necessary services. In this case, while these services are necessary they are not publicly necessary, and it is merely unnecessarily widening the attack surface to force the firewall to be opened to run these services even when the only connections necessary will be from localhost.

I hate to say this is another example of Apple being too content, bordering on complacent, in their own sense of security and not trying as hard as they could to keep their leading position. I hope someone stands up and notices, before its too late.

Also congrats to Blue Blood Alpha, top 10 next year!

Before you mention it...

One of my least favorite things is when something from the infosec world makes the "real" news. There's stuff going on all the time that could drastically affect everyone who's ever even thought of being near a computer, but they're often ignored, and it's a mystery to see what becomes big news, and what's ignored.

Example:

Big issue That Was Largely Ignored: Net Neutrality

The Internet being segmented based solely on how much money you spend to be on the Internet. Spent millions per year to have multiple OC-3 connections directly to a backbone? You get priority. Spent $40 per month (which is still way too expensive Comcast) to get a mid range home cable connection? You're a second tier citizen who's needs an wants come second.
Results: Companies like Microsoft, Comcast, Verizon, and others paying to control the Internet to make even more money than they do now. For people like you and me YouTube becomes impossible to use, those with the desire to can run even fewer home servers than now, and the general expectations you have of how the Internet should act go out the window.

Minor Issue That Is Getting Huge Attention: The "Cyber Jihad" Against the United States Banking System

One small extremist website has announced they're going to attack the US financial infrastructure during the month of December. Hmmm, terrifying. Guess what, attacks happen all the time. Theres already attacks coming from every edge of the globe all the time. Crime goes where the money goes. Banks have money. Put two and two together. Figured it out?
Guess what, the banks have too, most of them back in the 1990's, and vast majority of them are well prepared. While I have no evidence to support this I feel pretty safe saying that the financial world is second only to the military in being ready to deal with cyber threats. In some cases the military could probably even learn a thing or two. I'm not really concerned that I'm going to wake up in the morning and find my bank compromised by Muslim extremists any more than I'm worried about the Falun Gong, the Tamil Tigers, or some random kid in a basement in Idaho.

Now I don't blame the people around me who get worked up about this sort of thing. I blame the media, their biases and their ignorance, for which stories get big play and make the 6 o'clock news, and which ones never get mentioned off the infosec specific news sites. That's not my friends and families fault. What I am tired of is when everyone from my friends and family to random people I meet on the street want to tell me about whatever issue makes it into the media as though I've never heard of it before, insinuating that I personally, and the security industry in general, aren't prepared for it, and in such a way that they've done me a favor by informing me of it.

Now asking me about something like the Cyber Jihad, knowing the field I'm in, is fine and I'd be happy to give my opinion if asked for it (I'm sure you're muttering something about my willingness to provide opinions right now). I actually enjoy that. That being said, don't insult me though by expecting I have no idea about something that you caught on CNN and acting like you're helping me out. Security people, be it information security, physical security, homeland security, or any other security, are news junkies of the highest caliber. Security thrives on being aware of the changing threat landscape, so it's safe to assume that not only is any security person you know very in tune with main stream media, but is also tapped into many industry specific news sources, and was probably intimately aware and already moved on past any event before it even makes it to some mainstream media editors desk.

So thanks for the tip, whatever it was, but I was already aware. Save the energy and give Security Focus or the Internet Storm Center a look. You might learn something.

Out of curiosity: Am I the only one who deals with this and feels this way?

An Excuse and Thank You

So I've been working on a blog post for most of the day, and it'll be a good one *crosses fingers*, but trying to get the cohearance I want is taking more effort than I'd like. I'm less than pleased.

In liu of that I'll leave you something short to chew on:

I added John Grubber's Daring Fireball back to my blog list recently because.... I don't know. Everyone seems to think he's the Mac Pundit and that his words are gold, but I never really thought so. Even so if I miss some word he says someone has to say I'm missing a vital piece of the Mac blog scene. He also seems to be the fountain of all baseless drivel that Mac people spew in regards to OS X security. I mean, I agree it's better than Windows, but it's not infalable, far from it, and possibly farther from it than we like to think.

For this reason I'd like to say a big thanks Thomas Ptacek at Matasano for putting Grubber in his place. It's reasons like this that's why I hardly pay attention to Grubber, and hardly ever will. Read away:

Daring Fireball - > Matasano