What I wanted to point out here is that you can’t have attribution with regards to an attack by only analyzing the tool used, no matter how through the analysis. We all know IP’s can be changed, compromised, rented out….so relying on that wont work. Code can be borrowed, stolen, reversed so that isn’t conclusive either. This especially true if we are talking about Nation State sponsored cyber attacks. The tool is only part of the bigger picture. Attribution requires taking a step back and looking at that this bigger picture.  Who received the email? What is their role at the company? Where did the adversary get their email address? What tools did they use once inside? What order did they use the tools? What time of day, week, month did the carry out the attack? How did they exfil the data? What did they do with the data once exfiltrated? These are just examples of data not directly tied to the code in the malware that needs to be analyzed. Threat actors have patterns that they follow just a criminals have M.O.’s. However these cannot be relied upon completely. Misdirection is your friend when you don’t want to be named.  A lot of data needs to be analyzed before you are in the position to claim attribution. I would argue that few organizations have the expertise and experience to do so and fewer still could say conclusively, outside of Defense and Intel circles.

Also remember that not all advanced intrusion are APT just as not all APT intrusions are advanced. What helps constitute the Advanced in APT is their ability to pick the right tool for the job. They are not going to pull out their 0-days unless they have to, in my opinion anyway.

–Chris

[TAGS] APT, RSA [\TAGS]

–Chris

Congrats to the team at, NitroSecurity. They were acquired by McAfee according to this press release today: http://www.mcafee.com/us/about/mcafee-nitrosecurity.aspx

Nice job guys and girls. It’s good to see a successful exit.

–Chris

There was an article I read many years ago that was called something like “Why Johnny can’t encrypt”. The gist of the article was that email encryption (and the underlying technologies like PKI) were so poorly implemented that the average user couldn’t use them or understand them. In my opinion that is as relevant today as it was a decade ago. There seems to be 2 schools of thought as to why this is. The first is that the implementation and resulting user experience of these technologies frankly sucks so nobody wants to use them. The second is that the masses are not asking for secure email so what gets implemented is core functionality that is just enough to say it works, depending on your definition of “works”. Call it what you will but I believe if it was easy to use then more people would use it, even if they don’t fully understand the concepts.

So how far have we come? Let’s take a look at Blackberry 5.0 infrastructure and handheld OS to see how they well they have implemented S/MIME. Contrary to what you may think after this article I am a huge Blackberry fan. I think when it comes to enterprise grade handheld devices and infrastructure (i.e. the BES) they have got it right for the most part. Let’s take a look at some of the issues that we have found during our Blackberry secure email evaluation.

NOTE: It’s been a while since I was working on this. If I am mistaken on any of these feel free to correct me.

Not enough of email is downloaded to the device to verify the certificate
Blackberry devices download something like the first 2K of an email. In most cases this is not enough to verify the status of the signing certificate for digitally signed emails. You have to open the message and do a “more” or “more all” to get enough of the email to verify the signature. I am not sure why the BES cant verify the status on the server and just send the results of the signature verification.

Forwarding / replying S/MIME emails silently drops any attachments
When you forward or reply to a digitally signed or encrypted email with an attachment there is a problem. The recipient will not receive the attachment and you will not see an error. The email just shows up with no attachment or errors. This is apparently due to the architecture that RIM uses, specifically the Attachment Service on the BES.

Inconsistent certificate status messages
If you receive a digitally signed email that cannot be verified for one reason or another the colored line that indicates status will be Red. However the exact same email digitally signed and encrypted will have a Yellow line. Why does signed and encrypted = Yellow and signed only = Red????

Stale Certificate status
Blackberry devices have significant issues checking certificate status properly. One of the main issues is that the device is apparently trying to check the status of all certificates in the chain, either via extensions in the certificates or CRL / OCSP servers specified in the configuration. This includes the Root certificate. The Root certificate does not publish a CRL on itself nor will anyone else. There is no certificate status when it comes to the root certificate. This causes Blackberry to show a Stale Status since it cannot obtain the status of the root certificate.

Handheld devices require additional software
The Blackberry devices require that the S/MIME support package be installed. This is accomplished through the Desktop Manager application. Basically you install the Desktop Manager on your workstation, connect your Blackberry to your workstation then install the software. Sounds simple enough and it is for a user. That model breaks down quickly when you are talking about an enterprise that has dozens or hundreds of these devices. Pushing this as an over the air update would make it much simpler.

User’s private keys need to be imported manually
To get the user’s private keys installed on the Blackberry device you must again connect to the Desktop Manager. As noted above this is something that a few users can handle but becomes a huge support burden as the number of devices grow. This is a hard one to solve given that you need to be careful when dealing with a user’s private key. You shouldn’t (in my opinion) give the users private keys to the Help Desk and let them install them on the users’ device. I may be a bit more cautious when it comes to this than most but non-repudiation goes out the window as you lose control of your private keys. Many organizations stand up a Microsoft CA as part of the domain infrastructure. A link from BES to the CA that generates a new signing key and recovers any encryption keys then pulls them down over the air might be an interesting solution.

One thing I haven’t looked at is how many encryption certificates the device can hold. When my current certificate expires I’ll get a new one. Will the handheld be able to store both so I can read encrypted email that was encrypted with either certificate?

What has your experience been like?

–Chris

Technorati Tags: Blackberry, S/MIME, PKI

 
The RSA SecurID token has arguably been the defacto second factor authenticator for many years. Despite the recent breach at RSA I do not see many organizations moving to alternate vendors or other second factor technologies, like PKI / SmartCards or telephone based solutions. In the wake of the RSA breach most companies seem to be replacing tokens and hardening their SecurID & Authentication Manager infrastructures and reviewing relevant security processes. I have seen a couple organizations look to add additional authentication methods to supplement existing SecurID implementations for remote access, like requiring PKI certs in addition to SecurID for Remote Access. Obviously this capability is dependent on your Remote Access vendor. If you are staying with SecurID for your Remote Access authentication you should be taking a hard look at your access logs. Below are some searches that you may find useful if your logging environment can perform them. The ability to perform GeoIP lookups and calculate temporal data is required for some of the searches. Many of these searches will require you to baseline this activity in your environment to reduce the false positives.

• Top 20 Remote Access source IP addresses for the last 30 days
• Top 20 Remote Access users for the last 30 days
• Remote Access attempt from non-US IP address
• Remote Access attempts at “odd” hours
• Remote Access failures from multiple
• Remote Access attempts from one IP address for two or more usernames
• Remote Access attempts for one username from at least two different IP addresses in XX minutes
• Remote Access attempts for one username from at least two different countries in an X hour period
• Remote Access sessions of longer than usual duration
• SecurID authentication attempt involving Invalid / Revoked / Expired tokens
• SecurID authentication attempts involving one username and multiple token serial numbers
• SecurID authentication attempts involving one token serial number and multiple usernames
• SecurID “Right Token code, wrong PIN” messages

There are probably others that can be added to the list.  Your RSA sales rep can provide you with a copy of their Security best practices guide for Authentication Manager as well as their Log Monitoring Guidelines. The NSA’s Information Assurance Directorate has also published an unclassified advisory on securing your SecurID infrastructure. If you Google it you should be able to find a copy.

–Chris

I came across an interesting tool for us WordPress bloggers..WPScan from http://www.ethicalhack3r.co.uk/security/introducing-wpscan-wordpress-security-scanner/

WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3.

Features include:

• Username enumeration (from ?author)
• Weak password cracking (multithreaded)
• Version enumeration (from generator meta tag)
• Vulnerability enumeration (based on version)
• Plugin enumeration (todo)
• Plugin vulnerability enumeration (based on version) (todo)
• Other miscellaneous checks

This may make a good addition to the excellent WP Security Scan plugin from Semper Fi Web Design. WP Security Scan does a great job of checking for common issues with WordPress installations. I’ve used this plugin since it was released.

Do you have a favorite WordPress security plugin, tool, tip?? Let us know.

–Chris

I’ve been a fan of digital signatures ever since I worked for a PKI company (CertCo) back in 2000. I like the idea that I can send an email and the recipient can tell if someone has tampered with it. Even though I think there have been a couple “year of PKI” it has never really caught on. Client software issues, complexity to the end user, distribution of keys / certs, status checking….all have some hand in the limited adoption. Personally I think the biggest barrier is what happens when you send digitally signed email outside your organization. Unless your certificates are provided by a commercial entity (like Verisign) your email will generate a trust error when the recipient opens it.

I am starting to see some forward traction with digitally signed email, specifically in an attempt to fight phishing. The basic idea is that if everyone in your organization digitally signs their email then an un-signed email from the CEO with an attachment would stand out. Is that a cure? Of course not. Rolling out certs to your organization is no small feat. Depending on the desktop environment (OS, Mail client, etc) there may be adoption issues. That said I have found digitally signing email has benefits worth the implementation and training efforts.

–Chris

You do not have to be a member of ISSA International or the NH chapter to attend. It’s a good opportunity to network with your peers in other area organizations. Tonight’s meeting is at the Manchester Public Library at 405 Pins Street. Directions can be found here

–Chris

EMC has announced that their RSA division has been compromised. It seems the focus of the attack was information on their SecurID product. RSA in the letter from Art Coviello said:

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

Not good. It is interesting that they specifically mention APT (Advanced Persistent Threat) as the “category” of attack. As anyone who deals with advanced threats will tell you, it’s not a matter of if….it is a matter of when. I have many friends over at RSA and hopefully they are able to quickly deal with this. Sorry guys….welcome to the club

–Chris

More information here: http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/

–Chris

Most of you have probably heard that Intel announced that it will acquire McAfee for almost $8 billion dollars. What I find interesting is that Intel paid $48 per share or about 60% more than the $30 per share where McAfee had been trading at. There are a lot of discussions about why Intel did this. Bruce Schneier has an interesting thread on this.

Having used McAfee at several companies I thought this quote particularly interesting.

McAfee may be able to optimize its notoriously performance-hungry software now that it’s a part of the company that provides the CPUs to many computers

Will we see an Intel based “antivirus chip” on mobo’s? Maybe….

–Chris

Technorati Tags: Intel, Mcafee