I promised myself I would stop with the vendor bashing at least long enough to catch my breath. Well, sometimes in your life something comes along that you just can’t help but comment on.

Press release on how a network emulator can help with FISMA reporting.

This class of products is great–simulated network lag so you can test your network devices, software, etc. Every lab should have this stuff.  I’m pretty sure that some of it is inside my building in the various replicas of customer networks that the engineers use.

But what does this have to do with information security management? Once again, it’s sprinkling the magic FISMA fairy dust and wishing that it makes your product a security device.  Makes me had the”make it secure” wand (complete with star on end and ribbons) that one CISO I know of carries about just for the purpose of being able to wave it around and say “*Poof* It’s secure now.”  I figure happy thoughts are in there somewhere, but I’m just not seeing the exact mechanism.

My friends have a theory that I should start selling SOX socks and FISMA underwear. I’m not so sure about that, but I figure if it works for all these other products, it might be a massive moneymaker for me.  =)

• Do You Know What FISMA Is?
• Blog Statistics and Search Strings
• Selling Water to People in the Desert
• On Why I Blog… FUD is the Reason for the Writin’
• Digital Forensics: Who should make the keys?

Nominations for the Pwnie Awards are open until the 28th.  It’s still not too late to get in that last-minute nomination for your favorites.

Award categories:

• Best Server-Side Bug
• Best Client-Side Bug
• Mass 0wnage
• Most Innovative Research
• Lamest Vendor Response
• Most Overhyped Bug
• Best Song

Note that they don’t have a “Most Loveable but Still Harmless Curmudgeon who Obsesses about Flyfishing, Zombies, and a Whole Lot More” category because I could win it hands-down. =)

Deep inside the site is this link:  PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability complete with this song:

<Preamble>
Twas the night before Christmas, and deep in IE
A creature was stirring, a vulnerability
MS02-066 was posted on the website with care
In hopes that Team eEye would not see it there

But the engineers weren’t nestled all snug in their beds,
No, PNG images danced in their heads
And Riley at his computer, with Drew’s and my backing
Had just settled down for a little PNG cracking

When rendering an image, we saw IE shatter
And with just a glance we knew what was the matter
Away into SoftICE we flew in a flash
Tore open the core dumps, and threw RFC 1951 in the trash

The bug in the thick of the poorly-written code
Caused an AV exception when the image tried to load
Then what in our wondering eyes should we see
But our data overwriting all of heap memory

With heap management structures all hijacked so quick
We knew in a moment we could exploit this $#!%
More rapid than eagles our malicious pic came —
The hardest part of this exploit was choosing its name

Derek Soeder
Software Engineer
eEye Digital Security
</Preamble>

• Sprinkling on the Magic FISMA Fairy Dust
• My System Environment
• 20 Critical Security Controls: What They Did Right and What They Did Wrong
• Hardware Woes
• Server Upgrades

I’ve been courting with VLANs again this week.

For those of you who don’t habla routing and switching, VLANs are a way to carve out a virtual switch. You can share the VLANs over different physical switches using a technique called trunking, which comes in way handy.

Technically, it makes sense to take most (all?) of your switches and trunk them into one huge-gantic, gi-normous switch then do all the work withVLANs.  This is the “cram everything (router, firewall, and port modules) into one Catalyst 6500 chassis and have a nice day” approach which Cisco will gladly sell you.

Until you start looking at the typical setup. For DMZ servers (just about everything I deal with is in a DMZ of some sort), it’s fairly standard to have a switch (or any number thereof) sliced up by VLANs for different functions and then each VLAN segregated by a firewall.

The problem with this is when you put untrusted/external and  trusted/internal network segments on the same switch and use VLANs to separate them.  Basically what you’ve done is taken a “moderately robust security architecture” and configured it so that the switch is a single point of security failure.  That is, if you misconfigure or compromise the switch, you can bypass the firewalls.

In either case, being able to conduct a successful attack depends on misconfigurations which can happen anyway with firewalls, servers, and any other equipment that you own.  The real problem is that single-point-of-failure that the switch becomes.

My personal rules for using VLANs:

• Don’t put untrusted/external and trusted/internal VLANs on the same switch.
• Putting untrusted/external and semi-trusted/DMZ VLANs on the same switch is on a case-by-case basis.
• Putting trusted/internal and semi-trusted/DMZ VLANs on the same switch is on a case-by-case basis.
• Don’t trunk VLANs across trust boundaries.  IE, don’t mix up customer switches with our own switches.

I think the key for today’s CISO is that when people bring you drawrings of what the network looks like, you should get both a logical network drawring and a physical network drawing.  The differences between the 2 might shock you.  Usually when you’re asked to approve a design, you get the former and not the latter, so the usual caveats apply.

Further reading:

• Cisco guide to VLAN Security
• Steve Rouiller’s paper on VLAN attacks

• In Response to “Cyber Security Coming to a Boil” Comments….
• My System Environment
• CISO Trick: Know the Hiding Places
• Et Tu, TIC?
• Internet in the Remote Desert

Very interesting article on keyloggers and the AV companies.

I’m sitting here trying to think about the problem, the scenario goes something like this:

• I’m the police/$favorite_member_of_NIC and need to keylog somebody
• I need to get the keylogger to the target and their computer
• I need the anti-malware detector on the target computer to not find my product so I can both get a foothold and continue to collect evidence.

So putting on my thinking cap, this is a fairly complicated attack. Yes, malware vendors do it all the time, but they aren’t selective usually in what their target is–they’re throwing what they have at a bajillion targets and taking what sticks.

In order to do this attack right, I would need to know which type of AV/endpoint security the target uses or I need a technique that none of the vendors know about or how to detect. In order to find out the AV that the target uses, I can either break in, hire a snitch, or use a wiretap to wait for the software to phone home for a signature update.  Once I know what exactly the target uses for protection, I can plan the attack.

Of course, this assumes that AV is 100% effective, which we all know isn’t true. =)

• Sir Bruce Mentions FDCC, World Goes Nuts
• Digital Forensics: Who should make the keys?
• DDoS Vocabulary and Mathematics
• My Lunchtime Hobby: Collecting Badges
• Keeping Up With the DDoS Kids

Becoming slightly annoyed with the problems getting feeds from yahoo pipes, I set up a simple cron job to snarf the rss off the yahoo servers every 5 minutes using wget.  Then I changed the hrefs to point at my own server.

While testing wget, I found out why the pipes were bombing out:  The pipes server doesn’t issue a response until it has computed the feed, then it sends it all at once.  This might be up to 10 seconds before the RSS reader gets any kind of a response back, which puts it into timeout territory some of the time.  Trusty ol’ wget worked every time, though–I swear it’s one of most reliable programs I’ve ever used at feeding it glop and getting back pure water.

So here you go.  If you were having problems with getting blank feeds, it should be happy now.  These are off the chateaublogsville server.

• Eiswein
• Chardonnay
• 2-Buck Chuck

• A Day in the Life of the Feedmaster
• The Rise of the Slow Denial of Service
• Tie Down the Livestock, Twister’s a Comin’!
• It’s a Series of Pipes
• And Now for Something Completely Different…

My customers, they come to me looking for nourishment, a late-night snack, or maybe some light reading. They want to be fed and they want it now, and I wake from my slumber to give it to them. They walk away satisfied.

My name is Mike. I am a feedmaster. This is my story.

Late last night I took Chateau Blogsville live and I’ve been adding to the filters throughout today in order to tune the output. Suspiciously, this is what life is like for the analysts working in our SOC. =)

Lessons from tuning feeds periodically during the day:

• I have a sizeable set of explicit blocks for quite a few terms coming from the search feeds. Even though I could build the search feeds with “NOT” values, I still had a bunch of trash that was more effectively deleted by a global junk screen.
• I developed an “allow” filter based on keywords in the content. This is what I call the “relevancy filter”. In Chardonnay, it’s used for the dirty gray and gray feeds. In Eiswein, it’s used for everything.
• I’ve done more blacklisting for the search feeds (dirty gray feed) on urls than I have on keywords for the time being, making broad slashes through aol.com and myspace.com. Time will tell if this will be a fool’s game, since the spam blogs can come on pretty strong, and the only way to be sure is to nuke them from orbit.
• I think I’ve pushed pipes beyond what it can do. About every third time, I get a null results set (ie, it times out). If you’re using a smart feedreader (I just make the feed a live bookmark in firefox), it just keeps the last version and you don’t really know or care that your feed is outdated, as long as it catches up sometime.
• “Privacy” is the hardest thing to explicitly allow thanks to real estate, vacations, and dating. “Risk Management” comes in a strong second, thanks to banks, loans, and project management. Surprisingly, nobody but security people talk about BS7799.
• I’ve roped in some really, really surprising content through the blog searches on technorati and google. What this means is that I’ll find sites like The Technology Liberation Front which I’m now a fan of. With as much of a hassle the search feeds are to filter out the junk, I think they definitely add something that a closed or by-invitation-only blog feed is missing. I’ll most likely add more feeds like this as I think them up.
• Some of you will notice that at no point have I blacklisted the C-word (c*mpliance) but notice how it chokes itself to death nicely when you deny all but allow “risk management” and “penetration testing”?
• There are a couple of terms that I deliberately did not add to the relevancy filter. Dollar for the person who names one, and the C-word doesn’t count.

Chateau Blogsville is now officially open. I will replace the RSS icons with something better once my graphic designer gets them done.

• Is Myspace Satan?
• And Now for Something Completely Different…
• Bacn–It’s Cooked Spam
• It’s a Series of Pipes
• Blog Statistics and Search Strings