Immutable Security

Over at the Apache blog, you’ll find a nice and detailed incident report on the recent, successful attack on Apache.org. I thought it might be worth a few minutes to share my thoughts on their write-up.

First, I would like to say that the level of transparency in this response is truly commendable. Rather than sweep this under the rug, they have chosen to share the details of what happened, why it happened (more on that in a moment) and what their plans are to, hopefully, prevent future breaches.

I encourage you to read the entire post, because it is a good account of how actual, real-world attacks happen. Targeted attacks take advantage of trust (both in people and machines), shared and weak passwords, too much privilege and an assortment of other security 101 vulnerabilities.

The attacks consisted of a XSS vulnerability, brute-force logins, a shortened URL, password sniffing, password re-use and social engineering. Pretty typical stuff, really.

What I find most interesting about this report is the emphasis on technical countermeasures in the What are we Changing? section, when the attack succeeded primarily due to vulnerabilities in human beings.

• The Infrastructure Team members clicked on a cloaked and untrusted link, which launched a XSS attack.
• A brute force login succeeded against a poorly chosen password. But prior to it being successful, no one seemed to be getting alerts on so many failed login attempts.
• They once again exploited the Infrastructure Team by getting them to log in with a password that the team members, themselves, did not choose.
• They took advantage of cached passwords on the server.
• Slicehost didn’t respond to the attack when notified, which enabled one host to continue its attack against someone else.

These are all people issues. It’s the same stuff that we security types have been trying to hammer into the brains of people for years now. There are certainly technical countermeasures which could have helped, but this was an attack on people.

It’s easy for us to play armchair quarterback and be critical of the response, however that is not my intention, Rather, it is my intent to simply cast another light on the response so we can all learn and secure our assets more effectively.

Many years ago, after I had been using OSSEC in an enterprise setting for a few months, I noticed an interesting phenomenon. Administrators, many of whom I had forwarded “was this you?” alerts to, were now coming to me to rat on themselves.

I would be working away in my cubicle when someone would come up behind me. It went something like this:

“Hey, Mike. Just wanted to let you know what you’ll be seeing me <insert action here> in the logs. No cause for concern.”

“Thanks for the heads up,” I would reply.

The administrators knew they were being monitored, but didn’t exactly know the full details of the monitoring. They naturally assumed I would see what they were up to. In many cases I wouldn’t have known.

The vast majority of these folks were honest to begin with, but I can’t help think it assisted them in following process and being just a bit more transparent with what they were doing. Maybe it even dissuaded someone who was on the fence from doing something vindictive.

After seeing this in other environments, I think it deserves a term. At the risk of coining a term for something that has already been identified, I hereby declare this the “OSSEC Effect.” The definition (which could use some refinement) is as follows:

OSSEC Effect: The alteration of a computer user’s behavior when they know their actions are being monitored, but do not realize or understand the extent of the monitoring. Users will, without provocation, volunteer information they believe could be seen as questionable, whether the monitoring system would have known about it or not.

When I first heard about this, I thought to myself, “Say it isn’t so. Tell me this is just a big misunderstanding. Tell me that my favorite place to buy cables at great prices wasn’t breached.” Alas, it seems to be true. Monoprice.com had a breach.

I wasn’t too concerned since all of my credit card numbers are unique and automatically generated, and all of the e-mail addresses I use for businesses are also unique, but just the same, I checked my statement. So far, all is well.

As a security guy, I suppose I should forever relegate monoprice.com to the vendor blacklist. After all, they must have been doing something wrong to allow the bad guys to get in, right? That may indeed be the case. They may have had security so bad you could drive a truck though it. Then again, maybe it was very good.

Breaches happen. It’s very, very hard to cover every known threat, let alone the unknown. Security professionals have to anticipate and protect against all threats, while the criminal only has to find one vulnerability. Most of the time it’s not even under our direct control. We are charged with the responsibility of security and get the blame when a breach happens, but encounter fierce resistance when we tell management what really needs to be done to properly secure a site.

Unlike Gexa Energy, who took almost a year to notify affected customer of a breach, monoprice.com took the bold move of prominently and publicly placing a warning on the front page of their web site.  They further went on to stop accepting orders while the breach investigation was continuing. Right now they’re trying to get back on their feet.

Preventing a breach is difficult enough, but the truer measure of an effective security program is how you respond to a breach. Do you issue carefully-crafted letters from the PR department or do you level with your customers? Do you attempt to shun responsibility or do you recognize your mistakes and learn from them?

It seems that monoprice.com recognizes its responsibility to its customers and is doing the right thing. That, combined with my personal risk-mitigation strategies, probably means I will do business with them again.

Awhile back I signed up for the CouponMom.com newsletter (hey, who doesn’t like to save a few bucks), using a very unique and distinctive e-mail address used only for this purpose.

Awhile later, I started to get garden variety spam to this e-mail address (Viagra, etc).

There are a few reasons this could happen:

1. I have been compromised and the spammers think it would be clever to use that address.
2. Spammers start spamming that address as a matter of chance or because they think, “hey, this guy likes Coupon Mom, maybe he’ll like some male enhancement!”
3. Coupon Mom is supplementing her income by spamming or selling the data, which makes its way into spammer’s hands.
4. Coupon Mom has been compromised.

Usually, when this happens, it’s number 4.

I got to thinking, “hey, they might want to know there might be a problem. I should tell them.”

I fill out their contact form and wait. More than a week goes by with no response.

I try to post a cautionary word to the forum. More than a week goes by and I don’t pass moderation.

I fill out the form again, indicating that it would be better for them to investigate this and notify their members of a breach, if one happened, than it would be for me to speculate about it.

Finally, I get a response. The response, in part, states:

You must have signed up for a Google advertiser link on the site, since the email signups for my site are not shared with any other party.

I am sorry you have had this experience, but caution you against publicly slandering The Coupon Mom program and our member database as the source of the unsolicited email.

Can I say that the Coupon Mom database has been breached? Categorically, no. But I can say that there are symptoms which, in my opinion, should cause a reasonable person to take a closer look.

What’s the lesson here? When someone tells you of a potential problem with your security, don’t just assume you are impenetrable. That person may serve as an early warning of a serious problem you would want to be on top of.

My wife got an Apple iPhone over the weekend. It’s an amazing piece of technology. Apple has done a fine job adapting a traditional computer into a phone form-factor. It truly sets the bar at an entirely new level for portable computing. Of course, there’s also an integrated phone.

I emphasize that it’s a computer because it has all of the characteristics of a computer. With the iPhone, the phone is simply another application on the computer–not unlike a Skype application might be installed on your Windows computer.

Our models of computers and phones have strong, but mostly disassociated relationships. We have a history of using computers as an important extension of all sorts of information. We understand that allowing others to have total control over our computers in generally a bad thing, whether that someone is a government entity, corporation or script-kiddie. Phones, on the other hand, have traditionally been far less complicated. There is a pretty basic hardware device and a service provider. The risks are well understood.

As I was playing with the iPhone and trying to find ways to meet my wife’s IT needs, it became increasingly clear how little control I had over this computer. Without jailbreaking the phone, I had no way to get a shell, and therefore no way to collect logs, change passwords, harden the underlying OS, install intrusion detection, or do any of the other things I would normally do to a computer I managed. Apple was my only source for applications and only those applications which Apple approved of could be installed. My hands were completely tied.

Unless I jailbreak this phone and accept the risk of something else not working, or Apple breaking it in an update, and explore the ethical questions as a result of doing so, I am completely at the mercy of Apple for the phone security and functionality. My risk assessment is theirs. My acceptance of risk is their acceptance of risk, which undoubtedly is primarily influenced by their bottom line.

This goes far beyond risk management. Imagine the outcry if Microsoft only allowed applications which they permitted to be run on Windows. We would have a world entirely dominated by Microsoft.

We need to lobby our lawmakers to, without equivocation, absolutely require computing platforms to be open enough for fair competition and where one company cannot call all of the shots. This is not about open source, this is simply setting requirements for a heterogenous platform where the risk of total control of data is minimized.

As the world becomes more mobile, this will need to be increasingly recognized as an essential liberty.

I recently started getting spammed by Incredimail.  I’m not going to give them the courtesy of a link here, but Incredimail is one of those useless (to me) applications that is supposed to make e-mail “fun” by junking it up with a bunch of graphics. I prefer my e-mail plain-text, thanks.

The interesting part is that they are spamming an e-mail address I have only used to provide my parents help with their computer. When I setup Remote Assistance for them, I used an address very distinct and which I have never used anywhere else.

It seems that they harvested the “to” address and decided I needed some of their useless junk, despite not so much as an unsolicited “invitation” (which would still be spam) to receive their newsletters.

Spam is spam, whether it comes from some guy in Elbonia hawking Viagara or from some supposed legitimate company. Don’t do business with spammers. Don’t use Incredimail.

A few of my posts have involved debating the ethics of public web app testing by security professionals. When the good guys poke and prod public web apps it raises a bunch of ethical questions, besides being legally questionable. Rather than recap my thoughts again, I invite you to read the article which I wrote for this month’s “ISSA Journal.” If you like the article and like some of the articles in the Journal archive, please consider supporting ISSA by joining. I have found it to be pretty valuable.

As always, I welcome your feedback. Feel free to challenge my assertions. All constructive comments will be let through moderation.

Who knew that a bunch of librarians could produce cool, online tools? Well, the folks over at the Copyright Advisory Network have done just that. Here are four tools to help you navigate the sometimes confusing and seemingly obscure US copyright law:

• The Public Domain Slider is my favorite of all of these tools. For example, did you know that a copyrighted work first published prior to 1923 is now in the public domain? That means you can use, sell, redistribute and do whatever else you want to all sorts of wonderful print, audio and video. Go ahead and post them to the file sharing sites and have a chuckle if you get a cease and decist letter.
• The Section 108 Spinner is primarily for librarians and archivists. Under certain circumstances, they get to reproduce entire copyrighted works. Those wiley librarians get to have all the fun!
• The Exceptions for Instructors eTool is for, well, instructors.  Just like librarians, instructors can laugh off all of those litigious attorneys who would rather they didn’t know their rights under copyright law.  Am I the only one picturing a teacher with a cape and a big © on their chest?
• Finally, the Fair Use Evaluator helps you to make a subjective determination whether your use is defensable as fair under the law. Remember, fair use of a copyrighted work does not require the permission of the copyright holder. Also remember that it is a defense to infringement, which means that a judge gets to decide if your use was fair once sued.

Until next time…

To the best of my knowledge (and I am not an expert), material produced by the government, (with certain exceptions) with taxpayer money is in the public domain. As well it should be. If we paid to produce it, it makes sense that we should have access to it. Public domain material is truly free. It is not copyrighted. It’s accessible to anyone for any reason to do anything they want with it. You can copy it, re-use it, make it into other works and make nice bird houses out of it.

Bill Harbaugh, Professor of Economics at the University of Oregon has challenged the Oregon Attorney General by posting the “Oregon Attorney General’s Public Records and Meetings Manual” online, in direct defiance of a warning from the AG.

The AG believes this is copyrighted material, despite his public position and despite that this is a guide which explains how one can access various public records. That’s an understandable position for the Oregon AG to take since they sell it for $25.

Today, I applaud Bill Harbaugh. This guy has a set. We need more people, and especially more well-educated and respected people to draw a line in the stand against abuse of copyright law. Remember, copyright law (at least in the U.S.) was designed to ensure a balance of rights between the creator and the recipient. It is not designed to give the creator absolute rights. At least in this case, it doesn’t even appear that copyright law should apply. It seems clear that this document should be in the public domain.

Way to go, Professor Harbaugh!

Recently, I blogged about how Amazon removed certain legitimately purchased eBooks from Kindle readers. One of those books, ironically, was George Orwell’s “1984.”

Today, I learned that they’re trying to make up for the incident. According to this thread, affected users are being offered the book back or a $30 credit.

While the DRM issues are still concerning, this is a truly great response from Amazon. They know it was a mistake and are trying to make good.  Hats off for customer service.

Amazon, let’s take it one step further and get rid of the DRM on the books. Get rid of the contractual agreements that force users to leave their rights under US copyright at the door. People will still pay for a good product and we will have freed the information. Do the right thing and I’ll become a customer of your digital wares.