Thomas Ptacek | June 29th, 2006 | Filed Under: Industry Punditry, Uncategorized
I heard it here first: EMC is buying RSA for $2.1Bn, or almost 7x least years revenue, apparently 5x leading.
This seems like good news to me. Our top ten security acquirers looks a bit more reasonable now. People I know leave me the impression that the RSA team, now EMC Information Security, is famously acquisitive. Now they have a bankroll.
Thomas Ptacek | June 29th, 2006 | Filed Under: Industry Punditry
Microsoft has gotten a bad rap with its software problems, and deservedly so, says David Pensak, CTO [of V.i. labs] “But they have a lot of fundamental design problems in their software… They made some [poor] decisions before people understood how evil the hackers are,” he says.
Do these guys have anything real to say? Microsoft spends more on security in a quarter than the research community will spend all year. How evil the hackers are? How about, how unbelievably hard it is to get a computer to do exactly what you want it to, under all conceivable circumstances, and nothing else?
Thomas Ptacek | June 29th, 2006 | Filed Under: Matasano, Uncategorized
And on that note, if you’re in Chicago (and if you aren’t, why aren’t you?), Sherrod Degrippo and the unbreakable Josh Daymont are coordinating ChiSec Five on July 20th.
There’s a mailing list (on that web page), and you should join it if you want a say in where future Chisecs will be held.
A refresher: the *-sec meetings (now Chicago, New York, Seattle, and soon Boston) are basically the opposite of ISSA. No dues, no minutes. No sales pitches. Some tables. Beer. A bunch of people you’ve never met who work in security. You don’t have to RSVP (although please do if you can).
Dave and Luke will post about NYSEC 2 shortly. If you’re in a city not served by the *-sec movement, feel free to contact us; we’ll hook you up with someone else in your area that’s looking to get one set up, and we’ll do whatever we can (web page, mailing list, blog posts) to help promote. These gatherings kind of rock, and we want more of them.
Window Snyder | June 29th, 2006 | Filed Under: Gatherings
Seattle had our first SeaSec last night and it was a blast! So many people showed up that we ended up compeletely taking over the joint. Thanks to all of you that made SeaSec 1 such a success. Watch this space for announcements for SeaSec 2.
Thomas Ptacek | June 28th, 2006 | Filed Under: Defenses, Uncategorized
Also from NetworkWorld, this time in “10 Cutting Edge Research Projects You Don’t Need To Know About”, “Active Cookies”.
Alice, Mallory, Bob. Assume Alice and Bob can talk securely once. Then Bob can give Alice a cookie sourced to IP(Bob) instead of Name(Bob).
Now,
alice -> mallory -> bob, after Alice has a cookie from Bob.
Mallory tries to be Man-in-the-Middle via DNS spoofing. Alice logs into Mallory. Mallory logs into Bob.
Bob issues redirect (intended for Alice) to IP(Bob).
Mallory can’t:
Get between alice -> IP(Bob), because Mallory can’t spoof IP.
Modify Bob’s redirect, because Bob is waiting for a cookie that will only be presented to IP(Bob).
Allow Bob’s redirect without disclosing his own presence, because (on the wire) Mallory appears to have initiated the login, not Alice.
Game over Mallory?
Uh, no. Apart from the glaring dependence on a prior authenticated transaction between Alice and Bob, after which cookies cannot be removed, this defense assumes Mallory’s only winning strategy is to consume requests from Alice, repackage them, and send them directly to Bob (the classic MITM formulation).
But that’s not Mallory’s only winning strategy. Mallory can intercept Alice, read enough from Alice to win, and pass her along directly to Bob none the wiser. I think this “defense” misunderstands the nature of active attackers.
I don’t think this technique makes Mallory’s job meaningfully harder.
Two other obvious “problems” that I feel are more easily knocked down by the authors:
Active Cookies only impact DNS spoofing attackers. But IP spoofing is much harder than DNS spoofing. While I don’t think the difference between IP and DNS spoofing is qualitative, especially when money’s on the line, it’s probably quantitatively different. That said, Active Cookies have no play for internal applications, where IP spoofing is much easier.
How is this any better than SSL? Because it delegates to the web application the task of verifying the channel. With modern browser UI, users don’t have enough information to do that.
Thomas Ptacek | June 28th, 2006 | Filed Under: Industry Punditry, Uncategorized
Here’s Thompson on the Sony Rootkit debacle (from NetworkWorld):
So I think people need to step away from the fact that perhaps there was some piece of detective capability on the machine, to what was the intent and how did the company respond when it was made public. And I think Sony acted very responsibly, frankly.
“How did the company respond when it was made public”?
Doesn’t this seem a bit flat-footed from a company that grosses ~$1.5Bn/yr from software designed to eliminate things like the Sony rootkit?
I had a nastier thing to say here, but I don’t want Dave to get mad at me.
Thomas Ptacek | June 28th, 2006 | Filed Under: Industry Punditry, Uncategorized
John Thompson, CEO of Symantec, on why he’s “not worried at all” about competing with Microsoft. (from NetworkWorld)
Microsoft is synonymous with a lot of things in the software and technology industry. Security is not one of them. And they’ve got a long way to go to demonstrate not only capability, but to deliver and build a reputation of being able to support a vast array of users in that regard.
You could write a long stream of blog posts about this topic. And you know what, since it’s a lay-up, we probably will. But I’m busy right now and I’m just going to say:
The cool kids don’t think this about Microsoft anymore. Microsoft claims to have spent billions on securing its software (and it may have, if you factor in the cost of slipping releases to eradicate things like integer overflows). But that doesn’t matter. Microsoft could buy a year of the entire vulnerability research community for less than $80MM, even at premium rates. That’s less than the cost of a mediocre security startup.
On the other hand, none of the cool kids hold Veritas, or for that matter Symantec, in much esteem. And I’m not sure what fleeing from the all-in-one gateway appliance market, tail between their legs, retrenching into categories that are inevitably going to be Control Panels in upcoming releases of Windows Server, says about their ability to spend their way out of that problem.
But what do I know.
Thomas Ptacek | June 28th, 2006 | Filed Under: Uncategorized
A tragecomedy in 898943 acts.
A country road. A tree.
Evening.
THOMAS PTACEK
Look at this.
DAVE GOLDSMITH
If you speak a hyperlink one more f’ing time…
THOMAS PTACEK
Just look at it. How can anyone read that and worry about competing with Arbor Networks. Fairy doors?
DAVE GOLDSMITH
I don’t know man…
DAVE GOLDSMITH
It worries me.
THOMAS PTACEK
What?
DAVE GOLDSMITH
They’re already OSHA compliant for magical creatures.
Silence.
Curtain.
Thomas Ptacek | June 27th, 2006 | Filed Under: New Findings
Via sci.crypt, a new paper from Joseph Bonneau at Stanford and Ilya Mironov at Microsoft , which times AES keys with thousands, not hundreds of millions, of samples, by conducting a white-box attack (informed by the structure of the AES implementation) on the last round of AES encryption.
Two interesting vectors for the attack, from the paper:
In multiprocessor environments, an unprivileged process on one processor can “snoop” keys from privileged processes on the other processor using timing.
Attackers can trigger and time encryption of disk blocks in network storage environments.
From Bernstein’s post:
The bottom line is that S-boxes (arrays with input-dependent indices) create absurdly complex, fragile, vulnerability-prone cryptographic systems. The obvious way out of this mess is to stop using S-boxes.
Thomas Ptacek | June 27th, 2006 | Filed Under: Industry Punditry, Reversing
V.I. Labs had the misfortune of getting lumped into “our” Dark Reading article, and based on their collateral let me just say, “not a fan”.
First: “powerful, out-of-the-box security solutions that protect against piracy, tampering, and theft of high value or mission critical software applications”. Where have I heard that before? Oh yeah, in the code that forced me to use that little red piece of plastic to look up the “secret codes” in the manual for The Secret of Monkey Island (ye ARRRR glad ‘ta be dead, right?).
Paul Kocher’s Cryptography Research has the real deal here, in a system called Self Protecting Digital Content. The wrong and the short of it: “reference monitor” code runs on a virtual machine with an instruction set architecture deliberately designed to make tracing, reversing, and altering code a huge bitch.
V.I. Labs product encrypts binaries, in a fashion that is on paper reminiscent of DVD AACS. Application code is still just application code, written in, say, Visual C++, still targeting the Windows ABI and the Intel ISA. It’s just hidden until it’s time to run it.
Because this system is ultimately running native code on Win32, I want to know why it doesn’t simply have the same chain-of-trust issues that the XBox has. (That link, by the way, needs to be taught in Universities).
I have two more technical reactions to this pitch:
Thwarting “reverse engineering” by protecting binaries would monkeywrench only a minority of the projects we’ve been on, where our best source was black-box testing of network protocols.
The “secure execution monitor” seems like a rehash of HIPS, a la Entersys/MCAF, Okena/CSCO, and Sana. It’s not an easy response to “logic-level” threats, which don’t rely on buffer overflows but rather weak authentication protocols, inconsistent authorization, or just plain bad design.
So it also doesn’t really impact the type of threats we’re talking about at Black Hat.
Then I have two marketing reactions:
If I’m an enterprise security manager, tell me what value this technology offers me by obscuring the binaries I’m running on my server. We get paid to break open commercial apps. Enterprises want us to do it, so they can preempt vulnerabilities and have some degree of predictability.
If I’m an enterprise software vendor, and rolling a simple “golden” build of a known-good revision of my code can take a week and involve a meeting with QA, support, and sales engineering, tell me how this product gets over the objection that it is essentially randomizing the build.
Matasano is a team of internationally respected security experts who have led security efforts at @stake, Microsoft, ISS, Secure Computing, Arbor Networks, Secure Networks, Bloomberg, Sandia Labs, and others. Read more about our team and how we can help you today.
©2008 Matasano. All Rights Reserved.
