Subscribe in a reader
The Daily Incite - October 6, 2006
October 6, 2006 - #131
Good Morning:
Happy Friday, thankfully. It seems like months ago that I was repenting. Long week, but it should be a good weekend, since it's my birthday tomorrow. That's right, even grumpy analysts have birthdays. Hopefully I'll get to sleep in a bit, spend some quality family time carting my kids to various activities and birthday parties and then enjoy a little gathering with friends tomorrow night. It should be fun.
Today is email security Friday. It seems lots of email security related topics to rant about. As many of you know, this is a topic that I know a thing or two about. But it's good to see the discussion continuing because the topic is important. So whether you are trying to decide how many AV engines to use (here) or how to stop a 0-day email attack (here) - or maybe digging deeper into the state of Phishing (here and here) - there is still a lot to do until we can say email is secure. Slow day in blog-land, so in a strange turn of events I actually say there are shades of gray (here). I also dug into the archive a bit to discuss they spyware implications of email tracking (here) and also highlight a little psychology based on a post from the Security Monkey (here).
To wrap up today, I love Dilbert. Maybe it's a little man-love, but is that all bad? There are some days where you just need a laugh and sure enough Dilbert is there to get me rolling on the floor. Check out today's comic (here). There were many times over the years that I wanted to have someone put on that T-shirt, that's for sure. It's too bad making anyone wear a dunce cap is now politically incorrect. I figure we'd have much better behaved kids and adults if it came back in style.
Have a great weekend. And just a little heads up that there will be no TDI next Thursday or Friday. I'm going on vacation, so you'll have to make due without me for two days.
Technorati: Information Security
Top Security News
How many AV engines do you need?
So what?- I read this study from GFI with some interest because they make the case that according to FBI numbers, 97% of organizations have AV running, but 65% have been affected by a virus attack. GFI draws the conclusion (correctly) that AV doesn't work every time. I think that's what they call the 0-day phenomenon. DUH! Of course, an AV vendor that is not Symantec or McAfee is going to make the case for additional engines. And in concept I agree. More engines is better than less engines. But should you go and load 4 AV engines on each desktop? Of course not, that would be stupid and they'd step all over each other. But getting back to a layered security architecture, you can use one engine on a perimeter gateway, a second engine on the servers, and a 3rd engine on desktops. Will that cost more? Yes. Will it protect you better. Probably. But none of these things are going to stop a 0-day, which is why application control is important to run on desktops as well.
http://www.gfi.com/news/en/multipleav.htm
Link to this
Stopping 0-day email attacks
So what? - Speaking of stopping 0-day attacks, eWeek published a review of Secure Computing and IronPort's email gateways this week. It wasn't focused on spam catch rates and the like, but more about their ability to stop viruses sent via email before an AV signature was there. Back when I was in that space, this "outbreak filter" positioning was a critical one as differentiation about spam catch rates and techniques went away. I'm not sure I understand how they tested this, but the reviewer comes away with the impression that both boxes do a good job of stopping these attacks. Basically, they use a combination of reputation services (to detect the likely bad senders) and attachment filtering (to detect a malicious payload) to stop the attacks. So for those of you still relying on server-based or desktop-based email security, get with the program. You should be stopping the bad stuff on the perimeter. The next question is can you put that capability into a UTM box? In concept, yes but that will depend on the size of your environment.
http://www.eweek.com/article2/0,1895,2022486,00.asp
Link to this
Will desktop anti-phishing tools matter?
So what? - Looks like Microsoft thinks their anti-phishing mojo is the best. Well they had a Redmond-based research shop do a study that they sponsored to get to that conclusion. So forgive me if I'm a bit skeptical on the study's findings. But whether one works better than the other is not the issue. My question is whether end users will know the difference and be able to prevent an attack because the bar on their browser turns a different color. I usually have an answer for everything, but I don't really have an answer to this because it gets into consumer behavior and I'm no expert on that. I suspect that the technically savvy will see the fire alarm going off, but these folks are unlikely to fall for the scheme in the first place. My fear is that those that are likely to get duped aren't going to see the warning. So what are we to do? Address it at the network level. Web filtering needs to react faster to block these phishing sites. IPS needs to detect and stop common attacks that compromise machines. And yes, we still need to train out users and consumers to stop doing stupid things. Hopefully McGruff is on top of that.
http://www.eweek.com/article2/0,1895,2022470,00.asp
Link to this
My that's a cool PhishTank you have
So what? - Just what we need, yet another site to archive suspected phishing emails. I came down hard on CastleCops and SunBelt a while back (here) for their PIRT initiative, but I was wrong about that. Well, not really wrong, but I picked the wrong horse. It seems the anti-phishing working group (APWG) is less effective at actually getting the bad sites taken down and is more of the PR effort I referred to. So what is PhishTank (backed by DNS service provider OpenDNS) bringing to the table? For you and me, not a damn thing. But if you use OpenDNS' services, then they will allegedly be able to avoid these malicious web sites. That's good for their business, but not for mine. And it's all about me. Seriously, it's important to attack this on all fronts. So this data should be sent to the Web filtering folks (I think CastleCops does that), it should be sent to the DNS folks (to block requests to phishing servers) and it should be sent to someone that can get the site taken down. It's only through a multi-tactic approach that we'll address the issue.
http://www.darkreading.com/document.asp?doc_id=104945
Link to this
The downside of stats
So what? - I mentioned yesterday about the use of statistics for PR purposes. But what happens when some folks get pissed about the stats and the vendor ends up backing down on those claims. Right. Bad PR. Very bad PR. That seems to have happened to Trend, who in order to stimulate their US Fed business, was going to publish some stats about how thousands of government computers are owned. Evidently some of the government agencies pushed back and Trend now has to revisit its study. Now that is news! This brings up some questions about how tight are the methodologies used to gather the stats and who is ultimately drawing the conclusions for what end. The stats-mongers tend to determine zombies based upon whether they send out spam or not. Since spamming is certainly one use of a zombie, that's not altogether wrong, but it's not complete. And ultimately they are depending on IP address info to determine where the culprit resides. That's not 100% infallible either. So the conclusion is the same. These malware stats are probably not worth the paper they are printed on.
http://www.informationweek.com/showArticle.jhtml?articleID=193104896
Link to this
Top Blog Postings
The weakest link redux
As long as I keep seeing the same stuff, and it allows me to make a point - I'll continue repeating myself. In this post from Rebecca Herold, she states the obvious relative to technology not being the entire answer to stop information leaks. Some malicious folks will do malicious things and other folks just do stupid things at times. So what does that mean for you? It means you can take nothing for granted. It means that you need multiple layers of security (have I said that enough today?). It also means that you won't be able to stop every attack. There is no 100% security. Training, technology, and auditing help to mitigate the risks and contain the damage - but there is no silver bullet. Never has been and never will be.
http://realtime-itcompliance.typepad.com/itcompliancecommunity/2006/10/humans_are_the_.html
Link to this
Shades of gray for pen testers
I've got a little bone to pick with Stiennon over his Dark Reading column this week. He goes to town on pretexting and the whole HP affair. He's right. But I think some of his ideas about social engineering and where the line must be drawn for security consultants doing pen tests are misguided. You see, the bad guys don't follow rules. They have no issue lying to get what they want. If you select a service provider that won't utilize similar tactics, will they be as effective? Will they find all of your exposures? Will the prepare you for when the bad guys ultimately show up on your door? Nope. So I'm not saying to bend the truth about your intentions without permission. That's a big no-no. But if you are hired to break into a network and compromise data by a CIO, by all means do your job. And part of your job is "lying" or social engineering in that context. I'm as black and white as they get, but there is only gray in this situation. If PwC doesn't want to involve social engineering their pen tests, that's fine. But I'm not sure how they'd get as accurate data as someone else that will.
http://www.darkreading.com/document.asp?doc_id=104223
Link to this
Is tracking email bad?
Since it was a slow day in blog-land yesterday, let me point to a week-old post on the Sunbelt blog relative to some email tools that could be construed as spyware, or maybe not. Plays well with the email security and phishing themes today. The presence of these tools came into light with the HP fiasco, since they sent mails out with tracking beacons, which show who forwarded messages to whom and when. Is this spyware? Or just a marketing tool used maliciously? When I send out the TDI each day, my service provider can track who opens it and who doesn't. Not down to the subscriber level, but in aggregate. It's helpful to me to figure out if my stuff is hitting the mark. Is that bad? It would be very helpful to see who the messages were forwarded to, but I don't do that. Not because of ethical reasons, but I don't have the technology. Is that bad? Am I a bad guy because I want to know how my content is being consumed. If I were using the data for unethical reasons, then that's bad. Well, if this pissed you off, then just read all your email in plain text. That breaks these tools.
http://www.computerworld.com/blogs/node/3651
Link to this
Doug Henning and the illusion of security
Does anyone remember Doug Henning, the magician? He died a couple of years ago, but I remember going on a field trip in elementary school to see his performance. We took buses into NYC and I really enjoyed seeing his illusions, his crazy rainbow outfit, and lots of shiny things. I was probably in 4th grade and things were a lot easier back then. But how much of what we do is illusion vs. reality? The Security Monkey goes on a rampage here putting on the show as opposed to actually addressing the root cause is pissing him off. He's right, but he's missing part of the point. People need to believe they are safe. The big show helps people to believe. Just like the big bouncer when you walk into a club discourages you from doing something stupid. You don't want to mess with him. Everyone else in the club knows you don't want to mess with him, so everyone feels safe. Even though anyone with a weapon could take down the big man in a second. That's not the point. We are all at risk every minute of every day. But you don't want to be constantly reminded of that.
http://blogs.ittoolbox.com/security/investigator/archives/the-illusion-of-security-12048
Link to this
Recently on the Security Incite Rants Blog
Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-10-05
Wow - this post truly blows me away!
1. We have the same birthday! It is Oct 7th for me, too. Although, yet again I was already there before you :). I have to say that I never would've pegged you as a Libra!
2. My wife and I saw Doug Henning make a Tiger appear in the middle of the Wang Center in Boston. We were sitting in row 5 - could see everything. We're still blown away by that 20 years later.
3. Celebrating tonight with Eric Clapton, then a quiet long weekend awaits. Warm days, leaves turning, it's beautiful up here.
Have a great birthday and vacation with the fam.
Eric
It's always nice when I can claim to be more black and white than Rothman. On the topic of social engineering I am opposed to the idea that it is an effective means of pen testing. While social engineering is a GREAT way to penetrate an organization it is also a cheap trick that will almost always work. It does not require technical expertise on the part of the attacker. You should already be deploying defenses that make it harder for internal employees to give away the company over the phone. Social engineering is usually used to demonstrate that an organization needs to spend more on security awareness training programs offered by the consultant.
Is it OK to lie cheat and steal, maybe even break the law, when the victim's employer is paying for it and has granted permission to the attacker? I say no!
My stance: Social engineering is wrong. And, it is not an effective penetration testing technique. Don't do it. Don't hire people to do it.
I think Amrit, Mike and Richard, you all both right and wrong.
Social engineering is just plain wrong and Richard is right about that, but why would an attacker resort to technical expertise when social engineering is simply easier, even if it is a cheap trick? Won't they take the path of least resistance?
Amrit and Mike are right that social engineering is important in pen testing, simply for that reason, that because it is easy, it will be done because it is easy access to low hanging fruit.
When Amrit and Mike says "why should an organization not look to see how strong their controls are against social engineering?" I would counter that any security technlogy worth its salt would take social engineering out of the play as an option immediately, so that pen testing would focus on the technical aspects of vulnerability that Richard believes should be the prime focus.
I think it is a sad indictment of the security industry as a whole that a company can spend hundreds of thousands of dollars on security products and still remain easy pickin's for social engineers.
Social engineering as part of a penetration test is absolutely valid and important. Unless an organization understands where there weaknesses lie they will not be in a position to implement appropriate controls, additionally even when "appropriate" controls are implemented you need to perform due diligence to ensure they are working and monitor them for any violations of policy.
I hosted a case study for the Gartner Security Summit in London with the CISO of a large, European financial organization. As part of the security awareness efforts, which were part of their implementation of 27001, they ran the gambit from posters, to newsletters, educational videos to assisting with security implementation for teleceommuters or anyone that required it for their home. They made a pretty strong effort to make their population "aware" of the security risks. They also hired a company to perform a penetration test which included social engineering . Within 24 hours they were able to obtain a long list of passwords, directory structures for sensitive servers and confidential files.
This organization was able to tune their controls, implement new technologies and processes to deal with what was perceived to be a fairly strong security program. The resulting effort allowed the CISO to highlight additional measures that were required, gain greater executive level visibility of security and in the end imporve their security posture.
So cheap trick or not, the bad guys use it all the time, why should an organization not look to see how strong their controls are against social engineering?
Mike, you focused on a very imporant topic for today's post. Email can be a major threat not only to your computer files (viruses!!), but also to your personal/sensitive information (phishing attacks, redistribution). One subject that's worth mentioning in the email security dialogue is outbound mail threats and security measures. We can use an anti-virus or anti-spam product to filter messages that come in, but most do not employ an anti-theft solution that protects sensitive outbound email content and attachments from being copied, forwarded or otherwise miused by the recipient.
Email security should encompass incoming as well as outbound security measures.
Yes, it can be. To quote Clapton, "it's in the way that you use it." I've seen these "web bugs" used with hostile intent as a tool of legal discovery (you send mail to one person and see who they forward it to, then you ask for all the mail records of those other people). I've seen them written to evade firewall rules too (with mixed radix addressing, for example). That all sounds like the definition of spyware to me ...