Shostack + Friends Blog Archive

 

Seriously? Are We Still Doing this Crap? (RANT MODE = 1)

These days I’m giving a DBIR presentation that highlights the fact that SQLi is 10 years old, and yet is still one of the favorite vectors for data breaches.

And while CISO’s love it when I bring this fact up in front of their dev. teams, in all deference to software developers and any ignorance of secure coding, we (the security industry) are just as guilty of equal (and perhaps equally damaging) stupidity.

Take as an example, this computerworld article. Please.

Ostensibly, this article is about “Six Enterprise Security Leaks You Should Plug Right Now“. Now when I see “Six Enterprise Security Leaks You Should Plug Right Now” I think – wow, these are going to be the most common and serious causes of data breaches and security incidents. Pull the emergency rip chord, scramble the F-5’s for interception and send launch codes to the subs. This is going to be proven attack vectors and techniques enumerated in a no-BS manner for the CIO.

Unfortunately, this is a great piece of circa 1999 FUD horseshit.

First example: The Bluetooth Gun

Things I think when I see this pic:

  • 55% “Compensating for something?”
  • 33% “Because pointing a 4.5 foot gun at someone is COMPLETELY inconspicuous!”
  • 12% “It’s not just Bluetooth, it shoots PSYCHIC BULLETS!!!!!!1!1”

Like really? Bluetooth rifles? In all fairness, this first “panic and plug” piece of the article is ostensibly about “smartphone security”. And I guess RSnake is giving fine advice. But really, trying to tell execs that they can’t have an iPhone because there’s some corn-fed, hand-spanked Insane Clown Posse fan with a “bluetooth rifle” might “steal their address book” is going to make you look like, well, and insane clown.

Hilarious, of course, is the recommendation that organizations give company sanctioned “robust” platforms like Android. Because when I think “robust”, time-tested, and controlled platform for development and enterprise adoption, I think “Android” (not a knock on Android per se, fans of the platform, no. But seriously, you have to acknowledge that it’s pretty much still a “newer” smartphone platform and not exactly one under the control of Google in terms of quality to market).

Second is “Open Ports on a Network Printer.” Really.

I’m gonna be frank and honest with you, dear reader. My PenTest experience is about 5 years out of date, but I’m willing to bet that things haven’t changed that much and I can still say with all certainty and seriousness that if your internal security is tight enough that you have to worry about “open ports on networked printers” you’re already in the 98th percentile of capable security organizations. Take a break, pat yourself on the back, have an octoberfest something, and then tomorrow you can worry about something like solving Log Management issues. Forget “network printers”.

“One of the reasons you do not hear about it is because there is no effective way to shut them down,” says Jay Valentine, a security expert.

“Another one of the reasons you do not hear about them is because in terms of security issues within the network perimeter, printers are about as important as, say, the possibility that some mentally unstable SEO/ Web analytics employee has a 4.5 foot bluetooth gun in his cube and is using it to capture screen shots of your CFO playing Angry Birds on her iPad, posting them to Facebook, Yahoo Forums, and otherwise embarrassing the CFO’s 14 year old son because his Mom plays Angry Birds at work.” – Alex Hutton, not an expert at anything

Custom-developed Web apps with bad code is, actually, at least according to the DBIR, something to worry about. I’ll limit the snakiness on this one, they got it right.

Next is something I really have an issue with. They label it “Social Network Spoofing” and I have to ask – is this an enterprise “leak” that IT can “plug”?

I mean, RSnake’s example is a phone based social attack where someone impersonates monster.com. And phone attacks do make up something like 21% of Social attacks in the DBIR data set. That’s fine. But we’re dealing with a phone based attack, here. Not something having to do with Facebook. And really, after the whole stupidity and non-story of Robin Sage – is it a good idea to even bring this up? We can add to the craziness the fact that there isn’t a lot of evidence for this attack vector and the remediation that enterprises should take, and most confoundingly (yes, it’s a Yosemite Sam word, deal with it), according to this article, is “email verification that confirm the identity of the sender”. Yeah. Because that shit’s ubiquitous. What you really want is to limit your users ability to interact with customers, vendors, and other business silos because they don’t use compatible “email verification” platforms.

Look, I know awareness programs are much maligned. And I’m completely aware that most of them suck it. But really, there’s no way that you’re going to combat phone based scams with technology. It’s called SOCIAL ENGINEERING for a reason. You’re not manipulating systems, you’re manipulating people. This may be a leaky hole or something (proportionately, it’s not, really if you take data breach stats with any seriousness) but the remediation is, well, strange. In my social engineering experience, I’ve gotten tons of information without using email as a vector as a follow up from a phone call.

Employees Downloading Illegal Movies and Music

Winn Shwartau is right, there’s no reason that folks should be putting this crap on work boxes, and P2P is a filth pit of code.

But I’m looking in the DLDB/Verizon/USSS data sets and you know what? I’m finding a lot more basic crap people need to worry about in terms of both frequency and impact. P2P is bad, get marimba or something and keep that crap off user endpoints, sure. But P2P just doesn’t seem to be a top 6 enterprise leaky whole thingy stop the world and panic write a computerworld article about it.

Finally, we have SMS text messaging spoofs and malware infections.

You know how often SMS text messaging is a vector in the data sets I’ve seen? really? zero. none. I’ve never seen any incident of any magnitude be more than a “proof-of-concept work” (schwartau’s words, not mine).

Seriously, folks. Look at hacking and malware paths in the DBIR. And be very, very concerned about SQLi and other remote access. Draw on bot net stats from the Microsoft SIR and be wholly uncomfortable with the complexity and size of your network. Read the Visible Ops for Security book (now on Kindle!) and understand how far from process maturity your IT and IT security processes are and weep accordingly. Sort through DLDB and be afraid at what evil lurks in the laptops of end users. There are real problems with the state of corporate IT Security.

But SMS text messages, getting “business intelligence” (these words you use, I don’t think they mean what you’re thinking) or SMS text messages installing mobile malcode? Not one of the big problems. not even close. Hell, I’d love for the industry to be in such a secure state that malcode installed by SMS *is* a big “enterprise leak thing” to panic and plug. Same with Network Printers. But right now, every ounce of data says that going to “your carrier and work with them to make sure that they’re using malware blocking software” is not only a complete waste of energy, but it’s basically bat-shit insane.

They’re coming to take your cell phones away, haha

What bothers me most about this article is that two people I esteem, RSnake and Winn, are feeding the FUD. Focusing on the possible (seriously, that bluetooth gun pic cracks me up everytime I see it) and ignoring what’s actually causing breaches for the sake of media sensationalism is a complete FAIL.

Let’s see if our own FUD makes the Defcon FAIL panel this year.

Sorry for the Nick Cage with crazy eyes.

7 comments on "Seriously? Are We Still Doing this Crap? (RANT MODE = 1)"

  • LonerVamp says:

    You know, I’ve navigated this entire day without seeing a rant-inducing article. Maybe even two days in a row, if I could remember yesterday. And here you go, bandying this about…and you apologize for…Nic Cage eyes?!? Bah, you should apologize for landing me into that ComputerWorld article!

    And you’re entirely justified in this rant. In fact, it’s not harsh enough. Hackers can blow up my printer and spew hot toner on nearby employees?!?

    Anyway, this is one of those articles that confirms my belief that too many [security] journalists really don’t have any IT experience that translates into forming coherent articles about IT. Someone strung together a bunch of quotes to make a craptastic story…kinda like COD:Modern Warfare 2.

  • Marsh Ray says:

    I have to agree that making a radio antenna disguised as an assault rifle with grenade launcher is an exceptionally stupid idea.

    All very true – today.

    But let’s keep in mind that the proof-of-concept Bluetooth gun of today is the ubiquitous threat of tomorrow.

    It wasn’t too long ago that corporate data security was largely auditing PCs for antivirus software. We all knew it was theoretically possible of course, but if you’d raised the possibility back then that viruses would become mere routes of infection for distributed p2p c&c botnets comprised of millions of infected PCs and which had the built-in logic to inject code into user’s web browsers which knew the specifics of their bank’s online banking application and used it to transfer money to organized criminal gangs from the former Soviet Union, you would have gotten a reaction similar to the one you just presented.

    There’s nothing inherently implausible about a worm which replicates via networked printers any more than a worm replicating via embedded SQL servers. It might be mildly harder to implement but not prohibitively so. If it hasn’t already happened, it’s probably because no attackers have gotten around to it yet because they’re too busy successfully targeting SCADA and industrial control processes or something.

    So if your definition of security is being better at reacting to previously observed pwnage than 98% of companies, that’s fine. But don’t expect to get ahead of future threats or current threats from targeted attackers that way.

  • Alex says:

    @Marsh

    that’s all well and good, but ive been hearing absolute industrial solvent huffing insanity about network printers and bluetooth guns for pert near a decade. Why we have to dig up the improbable nut sack exploits of 1999 for a FUD article is waaaay beyond me, especially when we are *still* dealing with the mundane exploits of 1998 in terms of data we do have.

    in other words, yea, flying cars and jet packs are cool future things to think about, but right now my ass is being handed to me by a 1997 Saturn station wagon.

  • Ben says:

    Not to defend the indefensibly bad article, but… on the network printers, I think they probably just missed the lede on it… if you’re talking about printers and copiers with built-in hard drives, then this has started to emerge as a concern, particularly with lawyers now including them in discovery request, but…. yeah, kinda lame.

    I wonder if RSnake was actually interviewed directly for this, or if these quotes are taken from a completely different context…

  • Adrian Sanabria says:

    I’m by no means defending the completely uninformed bullshit article, but I have to give them one of the six.

    As a pentester, printers are a good target. There is a whole generation/culture of older folks in IT that print EVERYTHING. Emails, contracts, POs, personal correspondence, performance reviews, signed documentation, password lists… Everything. Many of them are in VP or executive levels.

    I can’t be the only pentester to bag digital copies of executive signatures, passwords, and emails with sensitive info from an unprotected printer.

    In summary:
    – It is extremely easy to capture print jobs, or sniff them off the wire in most cases
    – If you have an hour or so, you can get very sensitive stuff
    – Nearly every enterprise I’ve been in is vulnerable. I don’t think I’ve ever run into a hardened network printer.

    I’d say for at least one out of the six, it is reasonable to say that, YES, that is something you should fix.

  • Pingback: Top 3 NoVA Infosec Blog Posts of the Week | NovaInfosecPortal.com [link to http://www.novainfosecportal.com/2010/10/22/top-3-nova-infosec-blog-posts-of-the-week-74/ no longer works]
  • Andrew says:

    i think the real threat that no one is talking about that will really affect us in five years is socially networked printers.

Comments are closed.