Wednesday, September 22, 2010


HyperSentry is a technology that uses IPMI to allow an out-of-band method for checking hypervisor integrity.

IPMI is a backdoor to the system, so it is something that has to be managed carefully. When I did pen-testing I often found that it was not secured properly. That said, it is a very interesting idea.

I think the hardware "root-of-trust" technology: that has been developed by AMD and Intel is also interesting

I think we will see availability of tools, including Catbird, where a combination of these technologies is built-in to the system. I do have to point out that IPMI based checks have been possible for years and yet no one has touted them as a solution for detecting conventional rootkits. I've learned that anything with "IBM" in the release has a certain amount of FUD factor and it may be a year or longer before we see a real capability that can be built into a product.

Perhaps the broader implication is that work like this is common on open-source hypervisors and is much harder to perform on proprietary systems.

Thursday, September 2, 2010

VA cloud outage

--Virginia Gov't Agencies Suffer Massive Outage
(August 27 & 30, 2010)
A storage area network (SAN) memory card failure at the Virginia
Information Technologies Agency (VITA) left at least two dozen agencies
without the ability to conduct business. Among the affected agencies
are the Department of Motor Vehicles, which was unable to issue driver's
licenses, and the Department of Social Services, which was unable to
distribute benefits. The data center where the failure occurred is run
by Northrop Grumman.

[Editor's Note (Northcutt): The state of Virginia was an early adopter
of blades and virtualization. The advantages and economics are obvious.
These outages may prove to be a cautionary tale. With virtualization,
you end up with a lot of eggs concentrated in a fairly small basket so
that if your continuity of operations plans fail, you go down pretty

(Schultz): This is a perfect example of what can go wrong when cloud
services fail. People in general neither recognize the real risk nor
plan for loss of availability in cloud services.]

Wow, they were not running dual HBAs into the SAN? Can't be.

Outage report from VA is here:

I am not sure the SANS editor comments are warranted. This may be related to an architectural error in the deployment of the EMC DMX 3 and its backup.

The DMX is an SMP-based HA system with a petabyte of capacity. The comment about too many eggs in one basket is accurate with respect to the State of Virginia's use of a monster SAN, but not so much as per use of virtualization.

The real failure here is whether or not they tested their COOP capability ... ever. Then we have to ask when was the last time they ran a DR test because their time to recover seems a little long as well.

My failure analysis: over reliance on a vendor's claim that their hardware never fails.

Saturday, August 28, 2010

Web site reputation

Recently several companies have developed features or products to make web surfing more secure. One of these technologies uses reputation. Reputation is a measure of trust for a web site or web page. In this case trust is typically measured by how much SPAM, malicious traffic, or attacks a site is known to generate. It turns out that measuring these things is not that hard because a majority of web traffic flows through a relatively small number of gateways and backbone networks.

This is a very good idea. If a web site is known to host malware or send a lot of SPAM, then block or warn users before they visit a site. Of course, cyber-criminals have started to figure out how to bypass these checks. They simply attack sites with good reputations and get them to host the malware. In some cases, it's just a matter of providing an advertisement.

Reputation based security is still a great idea because it forces the crooks to work harder. However, we can't get over confident and rely on this technique to always protect us. This means keep your software patched, don't click on suspicious links, and ignore any offer that is to good to be true.

Tuesday, August 24, 2010

Alert FOX News!

So, I got this funny SPAM email, and I thought someone will take this seriously and alert FOX news to yet another massive government intrusion into our lives... ;-)

By the way the SPAM came with a ZIP file that will probably p0wn your computer if you install it...

------ Begin Message
From: Alfreda Robertson
Date: Tue, 24 Aug 2010 16:04:07 +0200
Subject: IRS Notification - For Tax Payer

Dear Tax Payer,

As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.

To begin the update, install the attached file

After doing so, no further action is required on your part.

Thank you for your cooperation.

IRS Agent #175
Alfreda Robertson

------ End of Message

Friday, July 2, 2010

Always a good idea to keep your BIOS up to date....

Looks like Sony has learned from Dell’s leaky capacitor debacle.

Sony says 535,000 laptops at risk of
More than half a million Sony laptops sold this year contain a software
bug that could lead them to overheat, the company said June 30. Sony has recorded 39
cases of overheating among Vaio F and C series laptops that have been on sale since
January. In some cases, the overheating has led the laptop case to deform. A bug in the
heat-management system of the BIOS software is to blame. Sony is asking users to
either update the software themselves or return their laptops so it can apply the update.
The fault affects 535,000 computers, although Sony is asking a total of 646,000 owners
to update their machines. The additional 111,000 machines are susceptible to several
less serious problems that have also been found in the software, said Sony. BIOS is
present in every PC and runs below the operating system, controlling the most basic
functions of the computer and interaction between major components. It is usually
invisible to users except for a BIOS start-up message that is typically seen when a PC
boots. The problem affects machines sold both in Japan and the rest of the world.
Affected models sold outside Japan are the VPCCW25FG/B, VPCCW25FG/P and

Source: Computerworld

Wednesday, March 17, 2010

Are Open Source Applications More Secure?

Full Disclosure: I am a long time Firefox user

Recently, there have been serious security advisories for Chrome, Safari, and Internet Explorer:

While a patch is now available for Safari (and perhaps Chrome), the community is still waiting on a fix from Microsoft.

Browsers, and Internet Explorer in particular, are the most commonly used application in the world. Additionally, most web users visit one of the top 500 sites at least once a day. This intersection makes for a very attractive target for criminals. At any given moment, the site you are visiting, even the site you are using to read this post, could be attacking you through your browser and trying to seed your system with malware.

Your first line of defense is a secure browser. I can't prove this easily, but I think an open-source browser like Firefox will always be more secure than a proprietary browser.

My advice:
  1. Keep your browser up to date, note ie8 is not exposed by this current vulnerability
  2. Keep your OS up to date
  3. Run some sort of host-based intrusion protection system, if you have one of the consumer security suites you have this
  4. Run at least a basic network firewall
  5. Businesses should run a network intrusion protection system
For the really advanced users out there:

Make use of virtualization software and run a special purpose virtual machine for your banking and financial applications, run another virtual machine for casual web browsing and entertainment. Never ever browse the web using your host system.

One last piece of advice:

Don't forget to wear some green today!


Tuesday, March 16, 2010

Imagine a World where passwords were useless

Recently, in the press:
March 12, The Register – (International) SSD tools crack passwords 100 times
Password-cracking tools optimised to work with SSDs have achieved speeds up to 100 times quicker than previously possible. After optimizing its rainbow tables of password hashes to make use of SSDs Swiss security firm Objectif Securite was able to crack 14-digit WinXP passwords with special characters in just 5.3 seconds. Objectif Securite spokesman told Heise Security that the result was 100 times faster than possible with their old 8GB Rainbow Tables for XP hashes. The exercise illustrated that the speed of hard discs rather than processor speeds was the main bottleneck in password cracking based on password hash lookups. Objectif’s test rig featured an ageing Athlon 64 X2 4400+ with an SSD and optimised tables containing 80GB of password hashes. The system supports a brute force attack of 300 billion passwords per second, and is claimed to be 500 times faster than a password cracker from Russian firm Elcomsoft that takes advantages of the number crunching prowess of a graphics GPU from NVIDIA.
(By the way, SSD stands for Solid-State Drive -- a faster way to store data)

An SSD is much faster than a hard drive but orders of magnitude slower than fast RAM, so if these folks ran the same test with the Rainbow Tables in local RAM they'd be cracking the same passwords in 0.0053 seconds (unless this moved the performance bottleneck to the CPU).

If you want a solution, I recommend something like this.

Thursday, February 25, 2010

Sometimes you're already in the cloud

Federal Trade Commission links wide data breach to file sharing

The Federal Trade Commission (FTC) said Monday that it has uncovered widespread data breaches at companies, schools and local governments whose employees are swapping music, software and movie files over the Internet.

Peer-to-Peer (P2P) file sharing was perhaps the second killer app for the Internet (after Mosaic) because of its ease of use and utility for sharing free music and porn.

P2P is very easy to use, after installing the application select the files you want to share, then start browsing and downloading files from other users. P2P networks are comprised of millions
and often tens of millions of users -- making these applications the largest compute and storage networks in the world.

There are two big risks with P2P:
  1. Oversharing -- incorrectly configuring the P2P application to share all of your files
  2. Compromise -- P2P is often leveraged to download malware to unsuspecting users
The FTC warning described in the Post article arises from the problem of oversharing. For business, the problem arises because the more P2P users you have, the more likely that one or more of them are sharing confidential information -- without realizing it.

Assuring the secure configuration of P2P file sharing across more than a handful of users is very, very difficult. For a large enterprise infeasible. In an enterprise of any size, security depends on the detection of P2P and either on blocking all use or limiting use to selected systems that are subject to stringent access and configuration controls.

Don't be fooled into thinking that your firewalls protect you from this threat. Most P2P applications have been designed to bypass firewalls. P2P detection and control requires the deployment of effective Intrusion Detection (IDS) or Intrusion Protection (IPS) systems.

IPS systems will give you the capability of discriminating between types of P2P applications, selecting a response, and protecting your data.


Wednesday, February 24, 2010

You Should Use Profiling

Thanks to Headline T-shirts for this amusing image.

Torn from the headline, "Chinese school linked to Google
attacks also linked to ‘01 attacks on White House site.
" Comes the thought that only idiots fail to profile threats.

For network security this is a simple matter:
  1. Know your services and
  2. Know your users

The first item requires that you self-check with port scans, vulnerability scans, and traffic analysis to understand your networked application and your potential vulnerabilities. You should always plan that there will be defects you do not know about -- these are called zero-day attacks. Always patch everything you can and what you can't patch will require even more protection. Between zero-day worries and the things you can't patch, you'll need intrusion detection and prevention.

The second item should be incorporated in your site user statistics and operation's processes. This means understanding on a statistical and individual basis who, where, and how your users access your network applications. Once you have a grasp of these behaviors it becomes very simple to develop two key profiles: one that describes how authorized users behave, and second, the converse -- how unauthorized users behave. For example, an Austin Texas based music store will typically have many local customers and a few other customers from around Texas or perhaps more remote places like Nashville, New York, or Los Angeles. Once you have the geographic profile of your customers it becomes very useful to think about places you don't have customers. Places like South Korea, China, Eastern Europe, and Brazil; by extension everywhere except North America. Obviously, the same store in Shanghai will have a different customer profile.

Now comes the important part.


If folks from Lilliput never visit your site, treat their traffic with care, blocking it is best, but if you can't bring yourself to block them then at least redirect Lilliputian visitors to an "interest" form, gather some marketing information and put them on a white list. Now, that's for people from Lilliput visiting you, even less likely is authorized traffic from your network going to Lilliput (and really Lilliput is just a place holder for real threat countries: China for example.) IDS and IPS exist for a reason, so do firewalls, make sure you are filtering, blocking, or at least detecting traffic to specific countries and regions of the world you are not doing business with.

Friday, January 22, 2010

The Cloud is Attacking You

Collected from US-CERT and other sources:

Microsoft has released out-of-band Security Bulletin MS10-002
( to resolve seven privately reported vulnerabilities and one publicly disclosed vulnerability. This update includes resolution for a recently, reported zero-day vulnerability in Internet Explorer (IE) which is detailed in Microsoft Security Advisory 979352. (

This vulnerability may have been used in the recent attacks on Google and other organizations. Knowledge of this attack is now widely known and the broader criminal community is now leveraging this exploit.

Organizations should review Microsoft Security Bulletin MS10-002 and apply the patches as soon as possible. US-CERT recommends that the patches be tested within your organization enterprise first and then deployed in an expedited manor. In addition to patching, the recommendations below may be leveraged to better position your organization to withstand future serious vulnerabilities.

Enable Data Execution Prevention (DEP) both in software and hardware if supported (see Microsoft KB 912923). This may provide future vulnerability resiliency. (

Be proactive by defining internal servers that should generally be trusted that can be placed in Internet Explorer’s "Trusted Sites" list. By doing so, this may ease the impact to your organization should a future reactive measure be required to set the "Internet Zone" to a "High" security setting. (See Microsoft KB 174360 --