Wednesday 31 December 2008

Approaching the end of the Noughtie’s – Moore’s Law and beyond !

As the clocks here in Oxford tick down to GMT 23:61 December 31 2008 (yes – there is an added leap-second this year) it is time to consider what the last year of the “noughties” (i.e. 200x A.D.) has in store for the world. It is common for those in the IT Security trade to forecast doom and gloom ahead. With our lives now dominated by the highly volatile world of digital computing it is rare that anyone gets their predictions correct.

A great exception to this has been the forecasts of Intel founder, Gordon Moore, and his “law” that the number of components on an integrated circuit doubles about every two years. This exponential growth has meant that the power of computers today far outstrips those of yesteryear. With the 40th anniversary of the Apollo 11 moon landing it is sober to realize that the power of the disposable CPUs on our chip-and-pin credit/debit cards exceeds that of the guidance system on the Eagle (the lunar-lander).

With such ubiquitous computing and the growth in the number and complexity of applications, my forecast is that exploits, like integrated circuit density, will obey a “Moore’s Law”. I expect exponential growth of exploits, fueled by profits from e-crime, to continue. The visible evidence for such a law will mount up in 2009.

Whilst the speed of light and the size of atoms seem to be limits that might affect Moore’s Law when it comes to the current technology of chips – what might control the limits of e-crime exploits in the future?

I wish you all a very rewarding 2009!

Wednesday 17 December 2008

Hack chain, held together by database attacks, linked at each end

As the western world enters their festive season the spirit of good will and peace to all men has most computer users lowering their guard. The rush to search the internet for gifts to buy and the process of ordering online has given those not winding down for Christmas (i.e. the attackers) a bumper harvest.

Following on from my previous post we see Microsoft issuing advice on how to mitigate newly exploited vulnerabilities in their web-browser that forms one link in a chain of vulnerabilities. What is really neat is that each end of the chain of this exploit requires an attack on a database. Initially, malware is force-fed into web-sites using a SQL Injection attack to poison an external database serving the web-site. Visitors of these sites accidentally load malware into their browser as served by the site. The malware then exploits the browser to masquerade as the computer user on the user’s own corporate network. Now the attacker is pretending to be an authorized user on the corporate network. The next part of the attack uses internal credentials to connect to an internal corporate database and then exploits vulnerabilities on the database to gain complete control of it. This includes stealing data and controlling the network further.

Organisation's internal databases are not well protected, and they typically expect their perimeter firewall to keep the outsiders out. Given the chain of events that allows an external attacker to get access to internal databases whilst appearing to be an insider, the perimeter firewall is totally ineffective. A database firewall is called for here. The best form of defence is to not trust any database accesses – regardless of whom and from where they come. This requires building active control policies for database usage and enforcing them. At Secerno, the DataWall™ product-line achieves just this by utilising the SynoptiQ™ Engine.

Break the chain of successful attacks! Proactively control and protect all your databases – from those on the inside – and those on the outside! It is no longer possible to safely discriminate who is who.

Friday 12 December 2008

How to make 1 + 1 = -10 (AKA combining two attack vectors to control a database)

Let me start out by warning that this post is quite “techie” and may be seen as academic by some readers.

I am always impressed by the ingenuity of the security researchers who find new ways to make systems do things that their designers and engineers never had in mind when the systems were built. Recent news from researchers discloses how it is possible to combine the elements of two long-known attack strategies: Buffer Overflow exploits and SQL Injection – to produce an attack on one SQL database platform. This is reported by The Register as “the vulnerability can be exploited by an authenticated user with a direct database connection, or via SQL injection in a vulnerable web application”. Tragically, the only advice from the vendor is to drop a particular stored procedure (there is no advice on what this is likely to break).

The basic attack strategy is to exploit a stored procedure that is vulnerable to SQL Injection and use this to then get access to the memory address space of the underlying operating system. Broadly speaking, this is similar to the outcome provided by a good-old buffer overflow exploit. (For those old security hands reading this you will probably remember the classic work “Smashing the stack for fun and profit” by AlephOne) . With access to the operating system and the precision of controlling directly what is put in the memory space we can pretty much get the machine to do anything! In reality, there are many easier to craft SQL injections that will give an attacker control of a system, but this new approach is worth understanding.

What caught my attention about this was that one of the areas I researched whilst at the Oxford University Computing Laboratory was automatically learning the high level strategies behind families of buffer overflow exploits. At Secerno, we have the technology (SynoptiQ(TM)) and the products (Secerno DataWall(TM)) to protect our customers’ databases from SQL Injection – whether or not it is attempting to smuggle a buffer overflow type attack, and stop the attackers causing something large and negative to happen on your databases (the minus 10 in the title of this post).

Thursday 11 December 2008

White-listing is officially the Protector’s “New Tool”

Anyone watching the Forbes.com item on the future of computer security will come away believing that there is a “new” technology riding to save us all on a white horse. This is the “New Security Tool called white listing”. Kym McNicholas interviews Paul Ferguson (Threat Researcher at Trend Micro) who says that “Antivirus software can’t keep up” with the thousands of new malware variants released each day. According to Ferguson the number of new malware variants seen in 2008 is greater than all those released in the previous 20 years.

Those of us who have been in the information security field for some time will appreciate that this is not new. The reality is that an infinity of bad things can be created and that we typically restrict ourselves to a relatively finite number of good things that we use and do. Keeping up with the bad guys guarantees we will always be one step behind.

So white lists are good – but how do we build and maintain them? How do we ensure that they are precise and accurate to suit our protection needs? As each protected asset is unique in its operating environment the precision we need for protection can only be gleaned from the operating context. Old style approaches of asking system owners to build their own white list signature decks from inadequate tools like regular expressions are not credible. Outmoded approaches consistently deliver error rates that are far too high to provide effective security. To reduce total cost of ownership, tools for building white list protection policies must be highly automated using intelligent approaches. This is exactly what we do at Secerno using our SynoptiQ(TM) technology to build defect free proactive policies that you can rely on.