Wednesday 31 December 2008

Approaching the end of the Noughtie’s – Moore’s Law and beyond !

As the clocks here in Oxford tick down to GMT 23:61 December 31 2008 (yes – there is an added leap-second this year) it is time to consider what the last year of the “noughties” (i.e. 200x A.D.) has in store for the world. It is common for those in the IT Security trade to forecast doom and gloom ahead. With our lives now dominated by the highly volatile world of digital computing it is rare that anyone gets their predictions correct.

A great exception to this has been the forecasts of Intel founder, Gordon Moore, and his “law” that the number of components on an integrated circuit doubles about every two years. This exponential growth has meant that the power of computers today far outstrips those of yesteryear. With the 40th anniversary of the Apollo 11 moon landing it is sober to realize that the power of the disposable CPUs on our chip-and-pin credit/debit cards exceeds that of the guidance system on the Eagle (the lunar-lander).

With such ubiquitous computing and the growth in the number and complexity of applications, my forecast is that exploits, like integrated circuit density, will obey a “Moore’s Law”. I expect exponential growth of exploits, fueled by profits from e-crime, to continue. The visible evidence for such a law will mount up in 2009.

Whilst the speed of light and the size of atoms seem to be limits that might affect Moore’s Law when it comes to the current technology of chips – what might control the limits of e-crime exploits in the future?

I wish you all a very rewarding 2009!

Wednesday 17 December 2008

Hack chain, held together by database attacks, linked at each end

As the western world enters their festive season the spirit of good will and peace to all men has most computer users lowering their guard. The rush to search the internet for gifts to buy and the process of ordering online has given those not winding down for Christmas (i.e. the attackers) a bumper harvest.

Following on from my previous post we see Microsoft issuing advice on how to mitigate newly exploited vulnerabilities in their web-browser that forms one link in a chain of vulnerabilities. What is really neat is that each end of the chain of this exploit requires an attack on a database. Initially, malware is force-fed into web-sites using a SQL Injection attack to poison an external database serving the web-site. Visitors of these sites accidentally load malware into their browser as served by the site. The malware then exploits the browser to masquerade as the computer user on the user’s own corporate network. Now the attacker is pretending to be an authorized user on the corporate network. The next part of the attack uses internal credentials to connect to an internal corporate database and then exploits vulnerabilities on the database to gain complete control of it. This includes stealing data and controlling the network further.

Organisation's internal databases are not well protected, and they typically expect their perimeter firewall to keep the outsiders out. Given the chain of events that allows an external attacker to get access to internal databases whilst appearing to be an insider, the perimeter firewall is totally ineffective. A database firewall is called for here. The best form of defence is to not trust any database accesses – regardless of whom and from where they come. This requires building active control policies for database usage and enforcing them. At Secerno, the DataWall™ product-line achieves just this by utilising the SynoptiQ™ Engine.

Break the chain of successful attacks! Proactively control and protect all your databases – from those on the inside – and those on the outside! It is no longer possible to safely discriminate who is who.

Friday 12 December 2008

How to make 1 + 1 = -10 (AKA combining two attack vectors to control a database)

Let me start out by warning that this post is quite “techie” and may be seen as academic by some readers.

I am always impressed by the ingenuity of the security researchers who find new ways to make systems do things that their designers and engineers never had in mind when the systems were built. Recent news from researchers discloses how it is possible to combine the elements of two long-known attack strategies: Buffer Overflow exploits and SQL Injection – to produce an attack on one SQL database platform. This is reported by The Register as “the vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application”. Tragically, the only advice from the vendor is to drop a particular stored procedure (there is no advice on what this is likely to break).

The basic attack strategy is to exploit a stored procedure that is vulnerable to SQL Injection and use this to then get access to the memory address space of the underlying operating system. Broadly speaking, this is similar to the outcome provided by a good-old buffer overflow exploit. (For those old security hands reading this you will probably remember the classic work “Smashing the stack for fun and profit” by AlephOne) . With access to the operating system and the precision of controlling directly what is put in the memory space we can pretty much get the machine to do anything! In reality, there are many easier to craft SQL injections that will give an attacker control of a system, but this new approach is worth understanding.

What caught my attention about this was that one of the areas I researched whilst at the Oxford University Computing Laboratory was automatically learning the high level strategies behind families of buffer overflow exploits. At Secerno, we have the technology (SynoptiQ(TM)) and the products (Secerno DataWall(TM)) to protect our customers’ databases from SQL Injection – whether or not it is attempting to smuggle a buffer overflow type attack, and stop the attackers causing something large and negative to happen on your databases (the minus 10 in the title of this post).

Thursday 11 December 2008

White-listing is officially the Protector’s “New Tool”

Anyone watching the item on the future of computer security will come away believing that there is a “new” technology riding to save us all on a white horse. This is the “New Security Tool called white listing”. Kym McNicholas interviews Paul Ferguson (Threat Researcher at Trend Micro) who says that “Antivirus software can’t keep up” with the thousands of new malware variants released each day. According to Ferguson the number of new malware variants seen in 2008 is greater than all those released in the previous 20 years.

Those of us who have been in the information security field for some time will appreciate that this is not new. The reality is that an infinity of bad things can be created and that we typically restrict ourselves to a relatively finite number of good things that we use and do. Keeping up with the bad guys guarantees we will always be one step behind.

So white lists are good – but how do we build and maintain them? How do we ensure that they are precise and accurate to suit our protection needs? As each protected asset is unique in its operating environment the precision we need for protection can only be gleaned from the operating context. Old style approaches of asking system owners to build their own white list signature decks from inadequate tools like regular expressions are not credible. Outmoded approaches consistently deliver error rates that are far too high to provide effective security. To reduce total cost of ownership, tools for building white list protection policies must be highly automated using intelligent approaches. This is exactly what we do at Secerno using our SynoptiQ(TM) technology to build defect free proactive policies that you can rely on.

Thursday 27 November 2008

False Positives are Irritants: False Negatives Hide Real Risks

Discussions about false positives seem to be hotting up again. Often, solutions are proud to provide their customers with a “low false positive” rate. Alas each and every error is a costly one. Every false positive incurs the financial cost of an investigation – or the risk of ignoring it. I won’t go into the economics of it here (but a white paper is available discussing the cost of false alarms to a business). The reality of a false positive is that the continued annoyance results in the trust in the security device to seep away., False alarms desensitize us all (consider a car alarm going off in a car lot – we rarely take any notice of them). Worse still is simply turning off the cause of the alarm (most likely a signature put in place to protect) – and then the protection itself has gone!

However many false positives we receive, it is human nature to assume that “at least it is stopping all the bad things”. If the burglar alarm continues to squeal, surely it is keeping out the burglars. The unfortunate truth is that false negatives should be given the highest priority. Security systems that allow attacks through without alarming hide a huge risk.

When you are considering a system with a “low false positive” rate -- don’t forget to ask about their false negative rate. That is the one that determines whether the system provides any security at all!

Monday 24 November 2008

Card fraud: Skimming or Database Attack?

I have just come back from visiting a customer in the Gulf. The customer was not in the banking sector but it was brought to my attention an event in the region about a month ago where UAE banks were hit by a wave of card fraud. None of us want to have to replace our cards or our passwords unless we really have to, so it is quite startling when a number of different banks contact their customers to force them to make these changes. The rumors were that a gang had put up cameras and skimmers to capture card and PIN details. I am troubled by the interpretation that skimming was to blame. The security on ATMs, particularly around what data is held where (e.g. the PIN is never transmitted unencrypted) is very solid. With such a large number of different banks being “hit” and with so many PINs being stolen I wonder whether there was actually an intermediate system that was holding too much card data -- and that it was vulnerable.

Friday 21 November 2008

Coming of Age

Party time!

Secerno hit its fifth birthday this week and co-Founder/CTO Steve Moyle and I spent a few happy moments reflecting on half a decade that has flown by as the world has changed rapidly.

Five years ago, there was no database security market worth speaking of. Since then, the focus of both criminal activity and the security industry has lifted up the stack from the network to the application layer – and specifically to the database. Previously seen as bomb-proof, the all-important database is now recognized as a vulnerable component in the IT infrastructure – and the most valuable.

Which is where we came in. Five years on and there is now an answer to the question of how to stop the kind of focused database attacks that have started to plague companies around the world. These are often targeted, intelligent exploits that need to be stopped by specialist, intelligent defense. If all your database security does is tell you how the data was stolen, then it’s a forensic tool masquerading as security. If it doesn’t stop the attack, then it’s not a defensive player – it’s a commentator!

Five years on and the passion remains. We are starting to hear rumours of another major breach in the US. We’ll say more when we can. These things have to be stopped.

Database security is ready to come of age.

Paul Davie

Wednesday 19 November 2008

The Greater Good

There has been much interesting discussion in the press recently about individuals’ privacy rights and the threat to them from the development of now consolidated medical databases. In one of this week’s thought-provoking articles in The Guardian, the view is put forward that the privacy of millions of patients of the UK’s National Health Service could be swept aside by a government plan to let medical researchers have wider access to our personal files.

I’m in favour, of course, of medical advancement. Almost all of us are. It’s a necessity. But this project is just one of a series of public sector database consolidation projects. With each consolidation comes additional risk, as small, local communities in which all users are known, become replaced by national access systems with thousands of authorized users. Spotting the few careless or corrupt users then becomes a totally new challenge. The Contact Point project mentioned is the one that causes me most concern, as it contains data on the UK’s children, made available to every local authority in the land. Data security is primarily passive – coming via authentication and an audit trail, it appears. Chilling.

The companies building the architectures would gladly include the additional layers of security needed were the government to specify the highest level of database security for each project - but this is a new area and budgets were often tightly specified a while ago.

I'm a scientist by training and have worked with pharmaceutical and biotech companies for two decades. Their world is changing dramatically, with collaborations forming between competing drug companies, clinical research organizations, hospitals and academic groups to tackle complex therapeutic challenges. Data - often sensitive data - are washing around between all of them. Tracing who is using (and losing) data, is a huge new problem. But we need to remember that this type of data is the lifeblood of these important projects.

We need, reluctantly, to accept that data about us is out there in countless places – very few of us can practically avoid this. But we do need to be adamant that we own what defines each of us and that we retain the right to know how and where it is handled and especially, we have the right to know when it has been lost or stolen - whatever the UK Government and Information Commissioner's Office may say on the issue of breach disclosure.

I'm personally totally in favour of the right of any individual to opt out of having their medical (and other) data shared, though I may well, nervously, remain opted in myself. We have so much to gain from the medical advances that some of these projects are seeking to address. I guess it’s just a question of the greater good?

Paul Davie

Monday 17 November 2008

A Safer World

I was at the third Global Security Challenge event at the London Business School on Thursday. This is a well-organized conference that has grown from small beginnings and is a huge credit to the LBS students that organize and run it. They have secured fantastic business sponsors and some extremely high-caliber speakers for a competition to showcase the latest innovation in security in its widest sense, from new-generation lie detectors, to sensors, tracking systems and new encryption technologies.

I was particularly impressed with the presentation from Chris Darby, President and CEO of InQtel. In a talk presenting huge accumulated wisdom of great value to the budding LBS entrepreneurs in the audience, he summed up the security proposition neatly as “We all just want a safer world for our children”.

And so we do. Yet so much of day-to-day IT security is about coping with the minutiae of small breaches and subsequent irritations. The following evening I met up with Alf – a lifelong friend and small-businessman in Oxford, UK who has managed to keep his own business running on a shoestring for fifteen years. His week was made miserable when he was unable to book the transportation needed to meet his delivery commitments. It turned out his company credit card had been cloned and abused, creating the sort of short-term problems that can kill companies in times like these.

The question we pondered was “who knew about this?” Alf still doesn’t know how his card data was stolen, but could he have been informed before? I was disappointed to hear the UK Information Commissioner, Richard Thomas, supporting the Government’s view that US-style data breach disclosure legislation “would be a significant additional burden for businesses, and could cause public 'breach fatigue'". Well, from where Alf sits, the burden on his small business came from a data breach, and the thought that there might be another company out there that knew it might have lost his data but kept quiet about it is an infuriating one.

Protecting and validating identity was a big issue for global security and a business-threatening issue for Alf and other such hard-pressed businessmen. The idea that a European firm could lose data and not have to tell those affected still bewilders me. Are we really creating a safer world for our children when we allow those whose data security has failed to sweep this embarrassing fact under the carpet?

Paul Davie

Addressing the insider threat to Database Security

I was out and about on the European Conference circuit again last week. A trip to the Netherlands included an invited presentation at the ISACA Network Security Conference and a scout around the InfoSecurity Netherlands show.

My presentation – “Addressing the insider threat to Database Security” – was well attended with people having to stand in the doorway for the 90 minute session. After the talk, I was approached by a couple of security guys from Germany who wanted to know how they should implement separation of duties on a database (one of the recommendations in my presentation). I suggested they might like to ensure that the database operating system was managed separately from the database itself. This was a sensible enough scheme that they felt comfortable with. They asked whether it was secure. I then explained that it was quite straight forward to get remote operating system access through a badly written application (e.g. SQL Injection + netcat). This made their faces drop! Their moods improved when I said that Secerno DataWall™ neatly stops this.

A couple of the other ISACA presentations that I really liked were from Maksym Schipka of MessageLabs and Steve Orrin of Intel. Maksym gave a very thorough expose of the sophisticated micro-economics of the e-crime world:” Revealing the Secrets of the E-crime Underworld”. This is a world where anonymity rules and every supplier of a “service” is trying to scam every purchaser. I like the idea of “trusted intermediaries” who escrow bespoke malware and test the author’s claims before passing to the end ab-user – and taking a fee for the service. Steve from Intel gave a good session on the ins-and-outs of virtualisation and the security challenges and potential benefits: “From Virtualisation vs. Security to Virtualisation-based Security”. When we chatted after his talk he agreed that Secerno’s offering of a virtualised appliance was aligned with the ideas he spoke about.

I managed to get a few hours in Utrecht at the InfoSecurity Netherlands trade show. This was my first visit to that show and it seemed to be bustling. The usual larger security vendors were there including McAfee as well as many small specialist firms. It was good to see how many F5 resellers there were (F5 and Secerno products have a close relationship – more soon). The number of exhibitors was fewer than the InfoSecurity London show, but more than at the recent RSA Conference Europe – although of course the RSA Conference in San Francisco still trumps them all in terms of size. I was assured by a local journalist that it was bigger and better than last year. So this makes me wonder whether the recession is biting in continental Europe. One of the keynote speakers at InfoSecurity NL was David Litchfield from NGSSoftware. He is the world’s expert on database security having co-authored the “Database Hacker’s Handbook”. I was not able to attend his talk this time but I admire his work.

Saturday 1 November 2008

Steve’s musings from RSA Europe 2008

RSA Europe was held again at ExCel at the outskirts of London Docklands. Great venue – but the location is not really London and can disappoint some who travel from abroad. Also the timing was not great for UK-based InfoSec professionals with families –the show was held in school vacation time (half-term).

There were many familiar faces at the show: both at the exhibition and fronting many of the keynotes and other sessions. Art Coviello, President and CEO, RSA Security was pushing for “Thinking Systems”. This is quite close to my heart as my academic heritage links directly back to Alan Turing (who was the “motif” for the show) who spent much of his time contemplating thinking machines. Indeed, some core of these ideas can be found in the core of Secerno’s symbolic machine learning techniques.

RSA was a busy time for me – I was involved in three sessions and manning the Secerno stand along with the great networking that was provided in the evenings. My presentation “Regular expressions as a basis for security products are dead” went down well and even though it was reclassified as “Advance Technical” it did not deter an interesting audience. Some lively debate ensued after the talk. Although I could not make it, another talk mentioning SQL Injection was given – this was the talk on “SQL Smuggling”. I was not able to get to the talk, but the slides looked interesting. I know that the failures, pointed out by the presenter Avi Douglen, in outdated technologies does not apply to the Secerno SynoptiQ new generation technology.

My second “gig” was on Paul Fisher’s (Editor of SC magazine) CTO Panel. Although we were supposed to be blue-skying about “Beyond Tomorrow” it turned out that I was sat in the middle of two Malware CTOs who only wanted to think about malware AV and delivering this as a service. There were times when we were able to get the time horizons of the topics a bit further out. I did like Paul’s question about the Art’s “Thinking System”. I believe – and built that belief into our products - that security (and everything else in life) is a battle for knowledge. Thinking machines need to turn information into knowledge and then we can use that knowledge as a form of defence.

The final role for me was leading a special interest group “Securing Virtualised Assets”. Virtualisation drives down operating cost, but what does it do for security? The SIGs were a far more intimate affair with only 10 seats available around a table. It was pleasing to find security professionals who were being proactive in their company’s virtualisation efforts. It seems that there is confidence in how to tackle the security of back-office virtualisation projects. What was more edgy was how to do the same for the desktop. Interestingly, one of the attendees of my SIG was from Dell who had just announced that they were offering outsourced virtualised desktops.

Bruce Schneier’s address was as thought provoking as usual. He, like me, clearly sees that we are still the pioneers of computing as the field is still less than a century old. He drew analogies with industrialisation where output was important and pollution was seen as a necessary side effect. In the Internet era he likes to think of the massive data collection and the lack of care in its production and storage as being analogous to industrial pollution. One day, society will be forced to stop information pollution, and possibly need to go back and clean the information litter landscapes.

I chatted to Bruce after his book signing queues had died down. Last year, he left a message in the front of his book that he signed for me– and his message was “encrypted”. When I got home last year I gave it to my then 12 year old daughter to crack – “she got it in 5 minutes – right” said Bruce this year, in his rapid fire sentences. “Of course ...” was my reply.

Confession time...I did not tell him I had failed to crack it myself J.

No books for Bruce to sign from me this year. But Wiley, the publisher, did sell me Petzhold’s 2008 book “The Annotated Turing” on Turing’s famous 1936 paper on Computability and the Turing Machine. It is a good read – beautifully written – making the mathematics truly graspable.

At the exhibition the interesting new technologies were few and far between. I did quite like the concept behind the Yubico USB key fob providing one-time-authentication keys from a small USB device with a cute button. I chatted to the CEO of the Swedish company BehavioSec who provide behaviour “biometric” information making it possible to detect when keyboard activity is coming from a different user. I did manage to meet up with the MD of DISUK, Paul Howard who has a really neat solution to encrypting tape backups – put one of their SCSII encryption devices in the SCSII device chain –job done! Paul is a passionate gliding instructor which allows him to see the world from a different perspective at times.

The final keynote I saw was that from the UK's Information Commissioner, Richard Thomas. He seems to be getting traction and a larger budge to fulfil his mission to support both Data Protection and Freedom of information which is good. His view is that breach legislation needs to be risk based, not simply for every breach. His argument is that we should not worry about low volume, low impact breaches. Tell that to the individual that has to reclaim their stolen identities and refill their bank accounts – that they don’t need to be notified that their very identity is at risk.

Finally, the conference organizers were promoting Alan Turing as the “brand” for the conference. I wonder what Dr Turing would have made of his image and the promotional videos about the place. They even had a display of encryption devices including the Enigma that Turing played a part in breaking. In reality, the successes at code breaking were massive team efforts. No single person “cracked” the Enigma code. Oh – by the way – there were many other codes than Enigma that needed cracking during WWII – and they were! Turing, rightfully, is one of the very few fundamental computer scientists – but we should remember that he was not the only code breaker.

Steve Moyle

Tuesday 23 September 2008

Flapping stable doors versus controlled access

So only 35% of DBAs continuously monitor their running databases, according to this survey. Which sends a shiver down the spine when I think of the databases managed by the other 65% of DBAs ... and more specifically, the risk to the data in them.

And anyway, monitoring databases for suspicious activity sounds like the old "bolting the stable door after the horse has bolted". Don't get me wrong -- if you're not watching over your data-colts in the data-stable you most definitely cannot control what the data is doing. However we should be employing pro-active stable hands to ensure that the barn doors are bolted and only appropriate accesses to appropriate data-stallions is permitted.

With 20% of the survey respondents anticipating "some kind of data security breach over the coming year" simply monitoring their databases seems like an impotent response anyway.

Keep your database under control -- monitoring is too little, too late. Let’s block the stable door to prevent the horse from bolting.

Wednesday 27 August 2008

The "greatest cyber-heist in world history" -- how many did get away?

There has been a raging public debate about how many records were stolen at Best Western. Was it 10 to 12 users' records as claimed by Best Western or was it 8 million as reported in the Scottish Herald? What should we believe about the claimed potential loss calculation of £2.84bn ($5.68bn)?

Best Western was compliant with the PCI DSS -- but how was this achieved? Were they considered a single organization processing 6 million or more credit cards per year putting them in the Level One band requiring quarterly assessments or are they operated like a set of franchises where each hotel is treated as a single PCI entity of less than 6 million credit cards per year (putting them into the annual assessment band of Level Two)?
The reality is that PCI DSS compliance provides a low bar for computer security. Don't get me wrong -- it is far better than nothing, but the threats and technology move at a frantic pace. The prescriptive compliance standards do not change fast enough to keep up with attackers.

Data security is about complete control of data. With a strong security system in place Best Western will know what data assets were compromised -- 10 or 8 million.

Sunday 24 August 2008

Who can we trust?

I saw this today and sighed. Another embarrassing example of data loss from a government department; in the UK this time. Encryption of the data was provided at source, yet it is strange that encryption was not enforced throughout the complete data processing chain.

Management of sensitive data continues to be imperative. This sensitive data loss highlights the inappropriate attitude with regard to security and clearly shows that data security remains out of control. There is a distinct requirement for all government employees to protect the storage of data, including limiting the need for physical transportation, through the implementation of strict guidelines. Sensitive data should be held only where it can be kept most secure, and not downloaded to numerous portable devices or hard copy unless there is a well-justified need to do so – a need that is set out in, and enforced by, corporate guidelines.

If the government sector doesn't sort its house out, I fear we are going to see more high-profile breaches. Leaving us all with the uncomfortable question: if we can't trust the government with our information, who can we?

Steve Moyle

Thursday 14 August 2008

Compliance is not security

IT Security professionals want systems that provide strong controls to protect their organization's assetts. They often find that they are competing for budget from compliance demands.

Compliance is tradiationally a procedure based process that does not necessarily tie into a technological control. There are examples of 'compliant' systems not providing security (e.g. PCI compliant Hannafords).

There is now a trend to deploy Data Leakage tools -- not to prevent data leakage -- but rather so that when (not if) a data leak occurs a record of what has been lost can be used to comply with the growing number of Breach Notification Laws, by contacting those whose records have been 'lost'.

Surely implementing controls that prevent data leakage would be a more proactive approach. Strong security also provides compliance.

Monday 28 July 2008

An Antidote to Class Breaks

This opening post is about the title of the the blog: Class Defenses: An Antidote to Class Breaks.

The notion of a class break is quite common and I am sure most readers have already heard of it.

Here are a couple of definitions

  • "Technological advances bring with them standardization, which also adds to security vulnerabilities, because they make it possible for attackers to carry out class breaks: attacks that can break every instance of some feature in a security system.
    Class breaks mean that you can be vulnerable simply because your systems are the same as everyone else’s. And once attackers discover a class break, they’ll exploit it again and again until the manufacturer fixes the problem (or until technology advances in favor of the defender again)."
    [Source: Bruce Schneier, “Beyond Fear“, 2003, pp 93-4]