Recently I wrote a piece on Deep Packet Inspection (DPI), and issues related to its use within the Virgin Media Network in the United Kingdom. In that case, opponents to its use cited UK legislation that prohibits the unauthorized capture of communications and conversations on networks. I found this to be curious as this case dealt with Virgin’s desire to deploy a specific tool that focuses on the detection and identification of peer-to-peer (P2P) networks such as eDonkey, Bit Torrent, and Gnutella. The tool, CView, was to provide a DPI function important to ensuring the integrity and purity of good traffic while aiding in the identification, observation and remediation of bad traffic. Virgin’s concern was the health of its network and its desire to manage anomalous bandwidth consumption while combating illegal use and distribution of copy righted / trade marked materials. This doesn’t sound terribly unreasonable nor does it sound like a ‘violation of privacy’ rights as the opposition suggested.
This case caused me to reflect on challenges and opposition I have seen in hundreds of cases and clients with respect to Deep Packet Inspection (DPI) technologies. I believe many organizations and professionals within them have a fundamental lack of understanding of not only DPI, but also more elementary concepts such as traffic analysis (read: the ability to read and decipher packet captures). I’ve heard every possible technical and cultural argument against the use of packet inspection or session based analysis tools known to man. Some more well articulated and supported than others. I’ve been in countless hundreds of meetings where white board diagramming sessions ensued and network diagram sessions erupted into long debates regarding implementation and positioning of a technology and every reason why a given device could not be implemented. These conversations are healthy and important; they need to be had. However, facts are facts and most of the ‘concerns’ or arguments used against the adoption of intelligent, network-based security products is in fact flawed. Take for example one of my favorite arguments against the adoption of Deep Packet Inspection (DPI) technologies:
- Deep packet inspection solutions introduce latency into the network and in effect are prohibitive to the continued flow of traffic:
- This argument, when first presented, had some validity however DPI solutions, specifically Intrusion Prevention Solution (IPS) appliances have undergone evolution to the third generation. Most if not all offer some form of bypass kit which ensures that in the event of cataclysm (as defined by you or your organization), provided the building is not a smoking crater and that electricity continues to flow so to will your traffic
- Additionally, most platforms if not all offer multiple modes of deployment where in an organization has the ability to segue slowly into full inline integration DPI from a passive monitoring (IDS) mode
- It is true that any time any device is introduced into the flow of traffic some latency – no matter how infinitesimal, will be introduced. This is true of any device be it a router, switch, load balancer, server, firewall, ips etc.
- Deep Packet Inspection (DPI) solutions, specifically Intrusion Prevention Solutions are often never fully implemented often times seeing them remain in a passive monitoring mode. As a result, organization would never fully realize the Return on Investment (ROI), they expected as a result of making their purchase and likely could have settled for a much less sophisticated and costly platform:
- The adoption of the technology and / or the enterprise in questions readiness has no bearing on the efficacy of the technology
- It is intellectually dishonest to assert that had proper due diligence been performed and a readiness assessment undertaken, Return on Investment (ROI) and Total Cost of Ownership (TCO) would not have yielded positive results technical or otherwise
- The threat landscape is moving at a rate which no one can properly contend with and as a result, combat in its entirety:
- This not true for all systems utilizing Deep Packet Inspection (DPI) technology. Yes, there are some which rely on archaic and in some cases less well defined engines and analysis technologies however those who truly ascribe to the definition of Deep Packet Inspection (DPI) should be impacted far less by this than those who do not
- Deep Packet Inspection (DPI) solutions are complex and esoteric; they are not intuitive:
- This argument is weak but needs to be taken in context. In my experience when clients brought this point to the debate table it had more to do with the experience level of their staff than the tools complexity
- This can be overcome quickly and easily provided a proactive, open relationship exists between the vendor and the client
- Education should be ongoing; failure to educate (it is not only the responsibility of the vendor but the organization purchasing and adopting the technology) to ensure
- Fire-walls which adopt and integrate Deep Packet Inspection (DPI) are complex, introduce latency and are less intuitive than their less complex packet-filtering and stateful inspection peers:
- The application of this type of technology is traditionally done by those who are fluent and well versed in the need for it
- It is neither new nor is it beyond comprehension
- Given today’s threats and the complexities researchers and analysts continue to see in record numbers technologies such as this are now more important than ever before not to mention more effective than packet filtering and / or stateful inspection only systems
- Fire-walls which adopt and integrate Deep Packet Inspection (DPI) are complex, introduce latency and are less intuitive than their less complex packet-filtering and stateful inspection peers:
Conclusion:
The reality is that technologies such as Deep Packet Inspection (DPI) are extremely important. Their importance, though debated cannot be ignored and as a result they are more important now than ever than ever before. No longer are we contending with largely unsophisticated threats and adversaries. Cyber-criminals do not sleep. Nor do they take vacations or observe change windows. They are on the job 24 x 7 x 365 and are not deterred by (in fact I would imagine they welcome the objections which are proposed against the adoption of technologies such as DPI) by the presence of traditional mitigative technologies and controls. As a result, the need to strengthen our positions architecturally as well as procedurally must be recognized and acted upon. Time is of the essence and hesitation accompanied by intellectually dishonest or malformed thought processes must be overcome in order to address these threats.
German Government and Internet Explorer
The German government has warned against the use of Internet Explorer citing that Microsoft’s recommendations to increase the security zone setting to High would not make the browser safe.
It’s an interesting statement in what sure is going to continue to be a tough time for Microsoft. You’ll see that in the article from BBC that I linked above, Mr. Thomas Baumgartner of Microsoft states, among other things, “These were not attacks against general users or consumers.” That’s where Microsoft has proven to me their short sightedness in their issues surrounding flaws in Internet Explorer.
In this specific case, Mr. Baumgartner is absolutely correct in stating that the attacks against Google, Adobe, Juniper and unnamed others weren’t attacks against consumers. However, I think he’s missing a key point, with IE installed on over 60% of computers worldwide there is a better than average chance that consumers WILL SOON be targeted and this why I have issue with Microsoft’s defense against the German government warning.
My comments in this post are not intended to be an indictment against Microsoft. The fact is that Microsoft has huge market share at both the OS and application level, thus it follows that their applications are more likely to be targeted for attacks. But, it’s all in how the situation is handled and how the vendor shows they understand the long term implications of this problem. As I stated above, based on the comments reported in the press, they don’t fully understand the potential depth of the problem.
Personally, if I were responsible for IT in an organization, starting tomorrow I would think very, very seriously about taking the following actions:
- First, on all systems running IE, implement Microsoft’s recommendations in the security advisory for this issue.
- Second, have my IT administrators develop a plan to install Firefox on all systems which require a web browser and do so as the default web browser.
- Third, remove Internet Explorer from all systems unless there is a specific internal application or other 3rd business application which only supports IE. Then I would have it only installed on systems requiring access to that app, would have the security settings tuned to high and would disable as much scripting as possible.
I’m not naive, I know there are vulnerabilities in Firefox, in fact when looking at Secunia this morning I found there to be more vulns in Firefox then there are in IE (versions 5.0.1 through 8.) However, the one thing I noticed as well is that Firefox vulns were more likely to patched in a quicker fashion that IE and that the vulns reported in Firefox collectively were not as severe as the vulns reported in IE. My recommendations are based on the fact that this isn’t the first time a critical vulnerability in IE has been exploited and the only defense was to wait for the patch. This recommendation is purely defensive to a future IE zero day that goes unpatched for a significant length of time after discovery.
Granted, zero day is generally defined as an attack that occurs against a vulnerability that was previously unknown. In defense of Microsoft, it’s pretty tough to patch a zero day vulnerability before an attack occurs. However, this series of attack occurred last week and the recommendations against exploit are browser settings, not a patch. This isn’t going to work for the consumer, casual user and very likely, won’t work effectively for the large enterprise.
The reasons are simple:
- Consumers and casual users (non-IT SMBs, etc) don’t understand what these settings really mean and will be very likely to “tune them back down” once their favorite website doesn’t display correctly.
- Large enterprises with thousands of employees can’t absorb the costs of taking calls from the help desk asking “how do I make these changes again?” or trying to explain why some website isn’t working.
It’s quite simple for me to make these changes on the two computers I have in my house and to manage them appropriate. But in actuality, it’s easier for me to have my wife and son run Firefox rather than risk the “next IE zero day.”
I realize that it very well may be Firefox tomorrow if everyone jumps to that browser, but we’ve been here before with IE and we’ll probably experience it again.
Anyhow, I see no issue with the German government advising against the use of Internet Explorer and would not be surprised to see other organizations follow suit.
Again, this is not an indictment against Microsoft, rather this is about taking the necessary steps to protect your critical information and systems. Finally, let me ask you a question. Do you rely on your builder or landlord to tell you how to protect your personal information in your house or do you trust the safe manufacturer instead? For information security, rely on the security professionals.
As a final disclaimer, these views are mine alone and do not reflect the views of my employer.
APTs, Web Browsers and Information Security
The recent event news surrounding the Google cyberattack and the fact that web browsers were exploited to facilitate these attacks come as no surprise. In fact, I recall in 2006 and 2007 when speaking at various seminars, user groups and large events such as ISACA, NASACT and ASIS, among others, I would lead in with the following question:
If I had a give away for you today and gave you the choice, would you rather have $1000 or this brand new 1GB USB thumb drive. Almost unanimously the hands would raise for the $1000 cash because people want the cash.
The whole point of this series of presentations was to point out that security had everything to do with information and viruses, worms, Trojans, bots, etc were simply mechanisms used to enable access to that information. I also pointed out that the web browser would enable these types of attacks simply because of how a web browser functions.
I submit to you today, the same thing that I would tell folks 3 years ago and more, that the web browser is the most widely used application in user land and as such, will allow and enable quite serious attacks against our infrastructure and critical information in the years to come. We do our banking via the web browser, we order pizza through a web browser, I attend conference calls and presentation via the web browser, people attend college through the web browser. You get my point. It was only a matter of time before we realized a large scale compromise that was PUBLICLY announced that was enabled by flaws in the web browser and the near ubiquitous use of the browser on every computing device a user, consumer or employee of an organization uses to go about their daily business.
I remember the first time I mentioned to an audience that the use of the web browser when taken into an information security context was like inviting a thief into your home or place of business and giving them access to your safe. I had to explain that because a web browser and plug-ins like Java, XML, Active X, VML and others “just run” once the browser is launched, it’s no different than giving someone free reign to do whatever they want in your home or office when it comes to valuables.
This series of attacks and exploits of Internet Explorer have proven that point more than ever. The opportunity was there 3 years ago and now the first of many attacks have arrived. But the one thing that we must absolutely remember is that it’s not just these attacks that are all about access to confidential information, trade secrets and intellectual property; nearly all computer attacks have been about access to confidential information, whether it be credit card information of consumers or a chemical company’s intellectual property.
Security is about protecting information pure and simple, everything else is just a by product of that.
For more information on the presentations I mentioned above please check out:
http://bit.ly/8gQfrz
http://bit.ly/74tBEM
eReaders and Corporate Information
I love my Kindle, I really do. I can carry two or three books, magazines, newspapers or whatever with me when I travel, without the added weight of dead trees in my bag. There may be someone reading this who prefers a Nook, but feels the same way I do regarding eReader portability and functionality.
They are versatile, they are light weight, they don’t take much time to turn on and, if you’re savvy, you can put just about any document on it outside of what’s available over the respective wireless networks. And therein lies the problem.
- The nook and the Kindle both support PDF, JPG, BMP and GIF file formats
- The Kindle allows you to send an attachment to a unique email address which is assigned to your device, it will be converted to PDF and sent over the air to your device
- Both the nook and the Kindle can be mounted as a hard drive on your computer
The traveler, productive and efficiency side of me says “Hey, that’s great, I don’t have to boot a computer anymore if I can put a document in PDF format.”
But the security side of me says “Big problems to come in 2010 and beyond.”
Outside of the username and password assigned to the wireless store account, neither of these devices have any sort of access control or authentication mechanism nor do they have any sort of file security or encryption. Therefore, there’s no way to prevent “just anyone” from picking it up, turning it on and reading whatever is on it.
However, there really isn’t a reason to have authentication or any other sort of security on them, right? Simply stated, they don’t need them because they’re intended to devices of convenience for the avid reader. However, business people are always looking for ways to become more efficient.
Very recently, I’ve had conversations with colleagues and friends, during which one asked if documents other than books could be read on the Kindle. His idea is that he will load it up with documents that he needs to review while on airplanes. Great idea in concept, maybe not so much in practice depending on the nature of the information.
The other already had a plan, he was thinking about getting one and one of the plans he had was to put user guides, documentation and other materials related to technology he sells on his eReader. Another good idea in theory, but again this could lead to problems down the road.
I’m sure much of this material will benign and my hope is that the folks I work with in the security industry will show better judgement than to put confidential information on their devices. But what about those not the security industry with the same ideas of eReaders being a model of efficiency for travel? That’s what concerns me.
Generally speaking, most people who will find the ability and convenience of putting documents on these devices won’t even think about the security implications of their actions.
The potential problem that exists is not only the device owner either, it’s anyone who could be configured to send email to the device. In my case, I can set up users or entire domains to be authorized to send a document to my Kindle to be converted to PDF and sent to my device. This happens automatically when I turn on the wireless connection and the device synchs to the Amazon servers. However, I have no way to control what’s being sent to the device. Sure, I can delete it if it looks like it doesn’t belong or looks out of the ordinary, but the risk of confidential data being placed on the device still exists.
The ability to put documents on my Kindle is great, it really is. I love the fact that I’m not restricted to only paid content from Amazon. In theory, I could read and grade student papers during terms when I’m teaching. I can review draft documents intended for public use. Imagine the creative use cases for eReaders in business, they are quite extensive.
This is the problem that information security professionals will face in the coming year and beyond as more people buy eReaders. My years old theory about personal technology in the work place still holds true today, any consumer technology that becomes cheap enough for it to be widely used in the workplace creates a security risk. Primarily because the owners of these devices bring them into the work place thinking it will make their jobs easier or use them as a convenience. The risk introduced by these devices can be attributed to the fact that the users of IT are quite smart; they do what they are allowed to do, in the environments the are allowed to do “it”, with the knowledge and education they are provided.
Because of the ease of interoperability and the challenges associated with managing enterprise infrastructures, many personal technology devices have been introduced into the work place over the years. These include; iPods/MP3 players and their use as a hard drive (I know at least one person who has two iPods – one for music and one as a hard drive backup), mobile phones and their cameras and video/audio recording capabilities, high capacity USB drives, watches with USB drives and portable document and business card scanners. In 2010, I believe we will see the eReader revolution take off as a personal technology device that is introduced into the work place.
The job of the information security professional is only getting tougher and even if companies are primarily concerned about minimum compliance standards, it’s time to start paying attention to where your data and information is being stored. Because in my opinion, it’s only a matter of time before one of your employees leaves an eReader on an airplane, in the security line or in a hotel room and that eReader very well might contain some information critical to your business that is not intended for public viewing.
What is Security Research Worth?
Recently I’ve been giving thought to the value of security research and what a customer might pay for access to information collected by an organization with an expertise in assessing technical threats and vulnerabilities, government mandates and geo-political climates and then applying this knowledge to information security programs and practices. There are very likely two knee-jerk responses to this with one being, “Why would I pay for something my people can research on the internet?” and the other might be “Well, if I can get true value to increase the security posture of my organization, sure I’d pay for it.”
In either case, we still don’t know how much we should be paying for this research. I would say that we must first start with figuring out what it would cost an employer to hire an experienced security analyst or engineer, who is then dedicated to this function. According to Payscale.com security specialty pay ranges from $63,000 on the low end to nearly $100,000 per year on the high end. Add to this another 35% for benefits and you have a $135,000 per year experienced employee to spend their entire day collecting information from various websites and other resources. But remember that this person will only work about 40 to 50 hours per week, so what about the rest of that time?
So let’s assume that you have a relief factor .7 (standardized for the private sector) so the number of persons needed for a single position is 1.7 to take into account weekends, vacation and sick time. That said, if you’re going to staff 3 positions to achieve 24×7x365 security research and analysis capabilities, the number of people needed for that team is 5.1 (we’ll round it down to 5) so the total employee cost for a year is $675,000 plus training and education costs.
Ok, I know that I’m making some assumptions here and the actual salaries could be higher or lower depending on market, candidate, etc. Also, I’m making the assumption that an organization would require 24×7x365 staff to perform full security research, analysis and monitoring of the threats, vulnerabilities, market factors and geo-political factors that could impact their critical systems and networks. By the way, security research does not refer to the need to manage their security infrastructure for specific, targeted events against their infrastructure.
This brings me back to my initial question. Is there value in holistic, independent security research? Would you pay to have access to this information?
I’m certain there is and I would urge you to consider the following as you consider the value of this information or type of service to your organization.
At a minimum the following information needs to be available to the customer:
• Daily reports on the latest trends, threats, vulnerabilities and other issues that are relevant to the customer’s business or market
• Access to up to the minute threat and vulnerability data that allows an organization to customize and select security information relevant to their infrastructure
• Relevant information that covers not only technical threats and vulnerabilities but also anything specific across markets, geographies or political situations which can be used for an organization to understand the full impact of technical and geo-political events to their organizations
If a research organization can provide this type of information to a customer in a manner that doesn’t compromise their intellectual property or competitive advantage in a marketplace, there is certainly significant value to the customer. I just don’t know how much they would pay for this data. What would you?
We are tied to our worlds, tethered if you will, in many respects by our mobile devices. Our Apple iPhones and RIM Blackberries among others, aid us in keeping up with our professional and personal lives. They provide us a near real time (and in some cases real time depending on the platform and connectivity), window to the world. Information is available as quickly as electric signals are converted to light and back again over terrestrial and non-terrestrial infrastructure. It’s an amazing time to be alive. But for every convenience there is a price to pay. Isn’t that always the case? As the old saying goes there is no such thing as a free lunch and technological advancement is no different in that respect. We pay a price for convenience. We sacrifice aspects of humanity for expedience. We trade willingly many of those commonalities which all mankind shares in order to ensure we can check our email, reply to a twitter posting, conduct online financial transactions, post a photo on facebook or find a movie online.
There is nothing intrinsically wrong with this. In fact, it is quite normal to see some elements of human life become retired as technological advancement occurs. Take for example the written word. Writing letters in centuries past was an art form. Manipulation of language and style enabled individuals and groups to establish identities; voices via pen and paper. With the advent of the telegraph, then the telephone, then data communications etc. the medium and styles seen changed to meet the times. To meet the needs; the urgency of communication and coupled with the ability to provide near real time responses to questions or statements.
In late November I wrote a piece that discussed exploitation of jail broken iPhones and the introduction of worms to the world of Apple handhelds. As a RIM Blackberry user, I took a certain amount of pride in this as I secretly coveted the coolness of the iPhone then yet another mobile vulnerability was announced only this time; it was for the RIM Blackberry platform. This is not the first time malware for RIM platforms has been developed or identified. Back in 2006, Jesse D’Aguanno, director of professional services and research with Praetorian Global LLC. wrote and released what many of us believe was the first Trojan for the RIM platform. At the time, RIM stated that the exploitation was dependent upon whether or not the Blackberry Enterprise Server Administrator enabled the IT policy settings for mitigating such threats. However, this is not where the story ends. On December 1, 2009 RIM released a security advisory that addressed multiple vulnerabilities in the PDF distiller of some released versions of the BlackBerry Attachment Service. Within the advisory RIM stated that the following versions of BlackBerry Enterprise Server running on the following Microsoft Windows platforms were affected:
- BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows version 2003 or 2008
- BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows 2000
- BlackBerry Enterprise Server software versions 4.1.3 through 4.1.7, and BlackBerry Professional Software 4.1.4.
In convincing a user to view a specially crafted PDF file, an attacker might be able to execute arbitrary code or cause a denial-of-service condition on the system that hosts the BlackBerry Attachment Service. This of course is not the first nor will it be the last time we hear and see advisories such as these for mobile device platforms (I suspect that Palm’s WEBOS will be the next victim just as the Android by Google has been). For better than 90% of those who use these devices, what we are discussing will not resonate in the same way as it would with security researchers and analysts. For that percentage of the populace these devices are merely extensions of themselves; windows to the world as mentioned earlier, which allow them to access and be accessed. That access of course runs deep and wide through their lives and sees their worlds become more risk inclined than not.
But are we so different than the 90%? Don’t we use these devices in similar fashion? Certainly we look at the technology differently than do most as our business is the business of security and as a result we are naturally or artificially disposed to being suspicious of that which we do not know intimately or understand. As a result, you and I might conduct analysis on a device prior to using it or examine in an isolated lab environment a sample of malicious code using debuggers and other tools & techniques to assess behavior, payload and net effect of said code on a system or platform. However, corporations find themselves enabled and ready to deal with the advent of the introduction of malicious code and content, who is taking first watch in defense of those who use these devices independent of a corporate IT security program?
Botnets, Malware and the Fortune 100
After a much too long hiatus and sabbatical of sorts, I’m back to contributing to the efforts here at Cassandra.
Anyhow, I came across this article very recently and, while it was published in September, it is a very timely topic given some of the conversations I’ve had with my colleagues here at Cassandra. Follows is my philosophical post. But first I have to give the folks at Defence Intelligence the proper credit and recognition as the Fox News article referenced above comes from their work.
The first line stating that at least 50 of the companies in the Fortune 100 are compromised by an information stealing botnet was not surprising to me at all. But it did get me to thinking about the state of security programs, processes and technology in these organizations, among others. While it might be easy to blame specific industries and their focus on regulatory compliance rather than security (yes, they’re different and we’ll discuss that in another article) or lay blame at the feet of lack of budget and resources, lack of technology savvy or some other excuse. We must first understand that the Fortune 100 are the largest companies in the U.S.
Let’s start with a few assumptions:
1 – The Fortune 100 are likely to be among the most savvy companies in the world when it comes to adopting and using people, processes and technology to enable their business.
2 – They are more likely to have the resources to enable effective information security programs than smaller companies.
3 – They are likely to have established an CISO or equivalent position.
4 – They are likely to be considered very coveted accounts by technology and security vendors. Therefore, we can expect that they are at least made aware of the latest innovations in technology and security and should certainly be made aware of those vendors’ research efforts into current threats.
Now that I’ve made a few assumptions, I want to dive in to the thoughts that I had on this article.
As I read the article and made these assumptions in my mind, I asked myself – “If over 50% of the Fortune 100 has been compromised, what does that say about the rest of the companies in the US?” The reality is that there is really no way to know what it means for the rest of the companies, however we can probably very safely assume that over 50% of them are compromised as well.
What is not made clear in the article or in the research details I’ve been able to review thus far is how deep the compromise goes into these organizations. Are we talking hundreds or thousands of systems or are we talking a few to tens? That would help put some of this into a better context for this article, but lacking that information I’m going to do my best to illustrate what this could mean from an information security perspective.
Maybe the question to ask is, “What did the other 47% do right?” or were they not tested? There is much to be learned from the research and this report but one thing is very clear to me, these companies have plenty with which to be concerned when it comes to the state of their information security programs.
More later…
What good can come from Google DNS?
I had a recent conversation with my cousin Jim about Google’s new public DNS offering, and it got me thinking. This is one of those times where I have to ask: “In what way does using this service benefit the end user?” I’m really having trouble thinking of one. It’s not like there was a compelling need here, as every ISP provides DNS right now – it’s a ubiquitous service. An ISP that didn’t provide its own DNS to its customers would be like a TV station that only broadcast programs in black-and-white. ISP-provided DNS does fail on occasion, but in my experience, DNS-related service outages have been the exception, rather than the rule. Furthermore, DHCP makes it so that DNS assignment is transparent – so using Google DNS, which would require manual configuration of each workstation, would actually be MORE difficult for people to use. (Google is apparently aware of that fact, too – as they’ve set up a 24-hour Google DNS phone support hotline).
Google is also making some pretty interesting claims with regard to security:
Google Public DNS was also put into place to prevent the sort of DNS poisoning attacks that were disclosed last year. The system can also prevent so-called DNS “amplification attacks” that attack the DNS server itself, and then use them to route other PCs to attack target sites in an orchestrated distributed denial-of-service attack.
So my question here would be – What’s so special about Google DNS, and why wouldn’t it be vulnerable to a cache poisoning attack? BIND, the most widely used DNS server, certainly has its problems, but it seems counterintuitive to prevent cache poisoning attacks by increasing the use of caching. In fact, it would seem to me that widespread use of Google DNS would actually make the Internet less secure, by providing a VERY high-value centralized target for someone in the underground to compromise. Google, generally speaking, has a decent track record with regard to security in their hosted services, but they’re not infallible.
I have another, more philosophical, issue with this as well. By pre-fetching and caching DNS entries on a large scale, this appears to be a move to centralize DNS, and I think that’s a bad idea. DNS was designed to be inherently distributed and decentralized for some very good reasons, and if there’s a compelling reason to start moving away from that model now, I’m not aware of it.
Also, Google claims that they will only keep request log data for 48 hours, and will not monetize that data. That’s all fine and good in principle, until someone comes up with a way to legally compel Google to start keeping that data longer. Monitoring a centralized DNS like this would be such a neat way to observe Internet traffic patterns, and logs like this would be an absolute goldmine for law enforcement, repressive governments, and trial attorneys. Right now, someone looking for DNS request data would have to subpoena that information from every individual ISP – and with Google’s DNS they get a lot more bang for their buck.
So, in a nutshell – Google is taking something that’s not broken and trying to fix it, and in the process potentially opening a big can of worms with regard to security and privacy. Fortunately, I don’t think the use of Google DNS is going to become widespread any time soon, so the downside for the Internet as a whole is pretty limited.
I will be giving a talk on Sunday evening at ToorCon 11 in San Diego with Will Gragido. We will be talking about “Cyber Criminals Don’t Sleep, So Why Does Our Industry?”. The focus of the discussion will address APT’s. The Advanced Persistent Threat is nothing new but seems to be overlooked or not really talked about. What is our security industry doing to uncover the threat? What vendors are really taking the challenge one step further? I would encourage you to check out our presentation live at ToorCon on Sunday evening. After the conference, I will post the entire presentation on Cassandra with the speaker notes in detail. Stay tuned…
Perimeter? What perimeter?
This came across my feed reader this morning, and I thought it was interesting. It’s yet another example of how the traditional notion of “the perimeter” doesn’t really exist any more. In this case, attackers were able to infect machines at a few small credit unions, simply by sending CDs in the mail that appeared to be from the National Credit Union Association. All the “traditional” infection vectors go out the window here: These machines weren’t infected by an email payload, or from a malicious website, or from a software or operating system vulnerability. All the network protection in the world wouldn’t have helped here, because NOTHING went over the network prior to infection. In fact, this is a really “old-school” way of disseminating malware – it’s the 21st century equivalent of a virus being passed around on an infected floppy.
So, what might have helped?
First and foremost, well-managed and well-monitored antimalware with a good, solid signatureless detection engine, running on each and every endpoint. To quote my friend and colleague Josh Corman, trying to write a signature for a targeted attack like this is like giving a vaccine to a corpse – by the time the signature is written and deployed, the damage is long since done.
Secondly, user education and training might have also helped here, to a degree. The users who blindly ran the infected CDs were gullible, plain and simple. A user with a well-tuned B.S. detector is your best defense against social engineering attacks like this one.
Third: desktop lockdown – 90% of corporate PC users have no job-related need whatsoever for their CD drive – so WHY do they have CDs available for use? There are plenty of enterprise-manageable software tools available to disable removeable storage – use them.
The credit unions that got hit with this were NOT sitting ducks, and you don’t have to be either. You CAN defend yourself against social engineering – you just need to be proactive about it.
