Dave G. | August 31st, 2006 | Filed Under: Navel Gazing
We’ve recently enabled Akismet, an automagic comment-spam catcher for
Wordpress. We’re going to cautiously declare it a success, with this
caveat: if you’ve posted a comment, and for some reason don’t see it
on the site, it may have gotten eaten. Contact us at blog@matasano.com.
A quick editorial note: we moderate comments exclusively for the
purpose of blocking spam. If we didn’t, comment spam would pretty much
be all you saw. We don’t suppress other comments. We read all of them
and try to respond when possible. So, go ahead and post some!
No Comments
Thomas Ptacek | August 31st, 2006 | Filed Under: Uncategorized
Roger Grimes oozes over Juniper firewalls in Infoworld: “five star
security!”, “protocol anomaly detection! LAND and Teardop
protection!”, “multiple security zones!”, “excellent tech support!”,
“OMG, PONIES!”. From the article:
So, in summary, the NetScreen firewall is an excellent, versatile
product. It has the best documentation of any computer product I’ve
ever worked with, and Juniper offers quick, easy-to-understand,
human, technical support in minutes.
I will never use another perimeter firewall product!
Lovely, Roger. Presumably, you’ll never need to write about them
again, either.
1 Comment
Thomas Ptacek | August 31st, 2006 | Filed Under: Uncategorized
OMG, PONIES! ridiculous_fish (an Apple AppKit developer) recently released
HexFiend 1.1, driving a gleaming stake through the heart of
HexEdit. Unlike HexEdit, HexFiend:
is fast,
is pretty,
has a floating inspector that decodes the int8/int16/int32/int64 (LE
and BE) that you’ve highlighted (swoon),
often actually saves changes when you tell it to,
and can efficiently handle 100MB files —- like an
uncompressed firmware image.
Despite these features, HexFiend had been my second choice hex
editor. When I selected a range of bytes, it gave me the range of
offsets (“104 through 107 selected out of 3,804 bytes”). This, believe
it or not, is a showstopper; a few minutes of punching numbers into my
rpn calculator to see how many bytes I’d actually selected was enough
to throw me back into HexEdit.
Until now. Death to HexEdit! Long live HexFiend!
(Most ridiculous_feature ever: the inspector now shows you the RGB
color corresponding to the bytes you have selected. I want to hear the
use case for this. I am determined to find a way to use it in my
work!)
I have, like, a million feature requests. I really wish he’d open it
up. But HexFiend rules nonetheless, and ridiculous_fish has the thanks
of grateful security company for releasing it.
9 Comments
Thomas Ptacek | August 31st, 2006 | Filed Under: Uncategorized
I don’t have a lot of time to blog this week (it’s the start of the
school year, my daughter just started kindergarten, and I have client
obligations). But I want to respond really quickly to the armchair
quarterbacking on ISS, and, now, the “impending HP hurricane”.
Let me tell you how a small indie security player like Matasano
evaluates a takeover like IBM/ISS: Please, sir, can we have some more?
On the chessboard of the security industry, companies like ISS and
Checkpoint are the knights. They’re ambitious, egotistical, and
capable of inflicting damage. But they’re also somewhat unpredictable
and, when you get to trading down pieces, not worth all that
much. If I’m a small product company with customer traction, ISS can mess up my product plans, but they probably can’t buy me.
Any time a company like that is euthanized by a giant like IBM, a
little light flickers on in my cold, slimy heart. I tend to believe it
will make IBM more acquisitive, which adds fuel to the fire in the
indie market. I tend to believe it will make the A-players at ISS fat,
happy, and gone in 12 months.
We like it viable competitors who aren’t viable exits go away. Are we crazy?
I don’t think HP’s going to make a move, though; don’t they have
their hands full trying to exploit the tailspin Dell is in now?
[Update 9/1: Mike Rothman notes “of course ISS or Cisco could buy Matasano”. Two responses. (1) I didn’t suggest that ISS couldn’t buy us. Chris or Tom, if you’re interested, we can be reached at blog@matasano.com. (2) Cisco and ISS are
two very different players.
If ISS is a knight, Cisco is a queen (that was fun to say).
4 Comments
Dave G. | August 29th, 2006 | Filed Under: Gatherings, Uncategorized
We continue to have an awesome crowd of people showing up. The most amusing aspect of this NYSEC was the number of random connections people had to each other. People kept showing up that other people knew but had no idea were going to be there. We had a good mix of industry represented, and I beat Jacob in pool because he scratched on the 8 ball. It isn’t my favorite way of winning, but winning is my favorite way of ending.
I want to thank everyone for showing up!
1 Comment
Dave G. | August 28th, 2006 | Filed Under: Gatherings
Tonight is NYSEC 3! Just a quick reminder…
Pound and Pence (typically on the second floor) @ 6:30PM…
Click here for more details.
No Comments
Dave G. | August 27th, 2006 | Filed Under: Apple, Slashdot Rounddown
It never ceases to amaze me how people either communicat poorly or just plain don”t understand security. In the latest example of ridiculous ‘my OS is better than your OS’ posts, there is a long set of bullet points about why OS X is more resistant to malware. And I think the author is often wrong in his analysis. I even had a point by point dissection of the author’s points and shredded it.
But, as much fun as blog fights are, I think it’s more important to actually talk for real about OS X security. I will outline what I think are genuine benefits, and what I think are overhyped.
On Network Attack Surface
Minimal network attack surface. Solid! Very few daemons listen on network accessible TCP ports. Lots on localhost, but by default, none on external network interfaces. Good job Apple. There are a couple of UDP ports that are open.
Mac OS X Default Firewall. Hype! Because of #1, OS X’s firewall does very little. Lets look at the ruleset when you start the firewall on a default Mac OS X desktop machine.
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
12190 deny tcp from any to any
The firewall basically stops multicast and localhost spoofing. There are no TCP ports listening in a default install, so these rules arent all that helpful past that. When you click the advanced button, and check ‘UDP Port Block’ and ‘Stealth Mode’, you get:
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
12190 deny tcp from any to any
20000 deny icmp from any to me in icmptypes 8
20310 allow udp from any to any dst-port 53 in
20320 allow udp from any to any dst-port 68 in
20321 allow udp from any 67 to me in
20322 allow udp from any 5353 to me in
20340 allow udp from any to any dst-port 137 in
20350 allow udp from any to any dst-port 427 in
20360 allow udp from any to any dst-port 631 in
20370 allow udp from any to any dst-port 5353 in
30510 allow udp from me to any out keep-state
30520 allow udp from any to any in frag
35000 deny udp from any to any in
65535 allow ip from any to any
As Jay Beale has pointed out, there are numerous rules that make this firewall not especially useful for UDP. Specifically, source ports of 5353 or 67 cut through the firewall ‘like buttah’. But even if it didnt, the firewall explicitly allows traffic the ports most likely to be listening on an OS X machine.
So lets stop bragging about the firewall and start bragging about the fact that there is almost nothing to attack. Note to Apple: UDP port blocking shouldn’t be hidden under ‘Advanced…’.
On Administrator Privileges
- You can’t do anything without my password. Hype! On a single user machine (the only place this situation really happens), when the user’s account is compromised, all of their data is compromised. Rootkits and all that jazz are bad, but as soon as code is executed under the privileges of my account, I am screwed. Game Over. Also, admin group gives you access to /Applications. This lets you compromise anyone that runs any of the applications. Also InputManagers/MethodSwizzling. It is pretty hard not to give up your password. Of course, another layer of security is good. But it is absolutely possible to subvert if you are on the machine.
On Viruses
Virus Authors Don’t Write Mac Viruses Because It’s Too Hard Hype! Think back to the other Mac OS. How many viruses were made across its entire history And are you going to tell me that the reason there were only 150 Mac viruses because of the security architecture of System 7?
Mac OS X is too small of a target. Solid! Mac OS X is not a significant population of computers to write a virus for. I am not saying no one will do it, but if you have choose a virus that impacts ~95% of the world computing population or one that impacts ~3-4%, why write a Mac virus? This was true of Old Mac OS viruses too. While we might have had more of them, compared to PC viruses and malware, the numbers were MUCH smaller. Old Mac OS had maybe 100-200 viruses(*) (including variants, not including MSFT Macro viruses). Meanwhile DOS/Windows had probably 50,000+ in that same time period. Is anyone here going to tell me that it was the security of OS 9 that prevented viruses from spreading?
(*) Total guesswork, but probably on the high side.
There are other things that Apple does that meaningfully provides security, this was just my starting point.
Oh yah… that post I mentioned? Here was his closing point:
Pretty soon any debate with Microsoft over security can be ended in one round when Apple stands up, says “launchd,” and sits back down.
28 Comments
Thomas Ptacek | August 26th, 2006 | Filed Under: Bitching About Protocols, Uncategorized
I agree with everything Dino told Dark Reading about SSL VPN
security. I may even agree with Dan Kaminsky that kiosk security
“can’t work”. So, you can just read the article.
This quote, though, is priceless:
Meanwhile, most SSL implementations still use only 128-bit
encryption, which isn’t airtight enough, says Sean Kelly, business
technology consultant for Consilium1.
Do you know how fast you can run through 128 possible bits? Your
computer can count to 128 in, like, seconds, man!
I’m pretty dubious about Pescatore’s MobiKey suggestion; these are little USB thingies that authenticate to a central service which brokers an SSL connection. Even assuming there’s a sane design behind this (SSL terminated at a kiosk is owned completely by the guy who rootkitted the kiosk, even if it’s strongly authenticated), the USB device itself is highly exposed to attack by being plugged into a hostile controller.
One other thing: none of our upcoming products is a “small, iPod-sized
VMware-based hard drive that plugs into a third-party machine and
keeps everything on that device”. If you want to build one, be our
guest. I bet you can even pay us to have Dino help you.
6 Comments
Thomas Ptacek | August 25th, 2006 | Filed Under: Uncategorized
Via Slashdot, in a study at Purdue University and Oxford:
“A recent study on spam has revealed that spammers see a return between 4.9% and 6% when selling stocks they have bought low and spammed the world with.”
So apparently all we need to do is educate spammers about investment. Rule #1: factor the cost of trading and management into the return. The cost of spamming and attendant risks create a drag that must dwarf that of an S&P index fund or ETF. VFINX is up 6% over the last 12 months, and I can get that return without creating a zombie army to seize it.
[ed. note: yes, I didn’t read the article all the way through. Yes, spammers make way more than I would plowing my money into VFINX. Yes, spammers are smarter than me. Thank you for noticing.]
3 Comments
Thomas Ptacek | August 25th, 2006 | Filed Under: Uncategorized
THE MATASANO GROUP
HOST: JOHN SANAMATO
PANEL: RICHARD STEINNON, IT-HARVEST; RICHARD BEJTLICH, TAOSECURITY;
MIKE ROTHMAN, SECURITY INCITE; THOMAS PTACEK, MATASANO SECURITY
TAPED: FRIDAY AUGUST 25, 2006
MR. SANAMATO: Issue One! Looming consolidation in security:
ARMONK, NY and ATLANTA, GA – August 23, 2006: IBM (NYSE: IBM) and
Internet Security Systems, Inc. (NASDAQ: ISSX) today announced the
two companies have entered into a definitive agreement for IBM to
acquire Internet Security Systems, Inc., a publicly held company
based in Atlanta, Ga., in an all-cash transaction at a price of
approximately $1.3 billion, or $28 per share. The acquisition is
subject to Internet Security Systems, Inc. shareholder and
regulatory approvals and other customary closing conditions. The
transaction is expected to close in the fourth quarter of 2006.
MR. SANAMATO: ISS is just the latest in a string of high-profile
acquisitions of large independent security companies. Could IBM’s move
be the canary in the coal mine, signaling the demise of the
large pure-play security product company? Has all the best real estate
been claimed by multi-billion dollar giants?
MR. SANAMATO: Item! IBM’s acquisition removes the most successful
independent IPS product from the market, leaving behind an enterprise
inline market dominated overwhelmingly by companies with over $1Bn in
revenue.
MR. SANAMATO: Item! The ISS takeover closely follows EMC’s acquisition
of RSA Security, practically the standard-bearer for pure-play
security companies.
MR. SANAMATO: Item! After string of low-profile technology acquisitions at
Cisco and four years of M&A activity at Juniper and 3Com, the network
infrastructure giants now field well-rounded portfolios of products,
and continue to squeeze the rest of the market with lock-in stategies
like NAC.
MR. SANAMATO: Question: has consolidation of the security industry
reached a tipping point? Richard Steinnon.
MR. STEINNON: Let me explain what is going on. Put simply, the
security industry has grown to the point where their markets are
attractive to very large corporations that are looking for new
opportunities. IBM has diligently looked at the managed security space
for over five years. They did not buy Riptech or Gaurdent, which went
to Symantec and Verisign respectively because the industry was to
small. Now, as managed services becomes a big business, fueled by
increased interest in regulatory compliance, it is worth jumping in.
MR. SANAMATO: Does IBM’s takeover leave behind a viable independent
security industry? Without ISS or RSA, have the majors locked it all
up?
MR. STEINNON: Not even close. There are over 867 vendors in the
IT-Harvest knowledge base this morning. When that number falls month
to month we can start talking about consolidation.
MR. BEJTLICH: How many of those companies are 1 year old or less? 2
years? 3 years? I’m guessing that many companies that were firewall
development startups have either been bought or gone out of business.
MR. SANAMATO: New security startups can clearly still get funded. But
can they survive? Mike Rothman.
MR. ROTHMAN: Smaller vendors are not going to beat Cisco, Symantec or
McAfee at their own game. But these folks can fill the gaps. As long
as they don’t get greedy can find a home in one of the bigger players
when a market materializes.
MR. SANAMATO: So the independent companies will fight over the scraps.
MR. PTACEK: I don’t buy that at all, John. Like the EMC acquisition of
RSA, if you’re a small security startup, the IBM takeover is good
news.
MR. SANAMATO: Not if you’re trying to bring an IPS to market.
MR. PTACEK: Well, read the press releases carefully. The long-term
outlook for Proventia had to have been a top-of-mind issue for this
M&A team. But the lede in the announcement is the integration of ISS
software into IBM’s software-only Tivoli unit. The uncertainty here
could leave a gap in the market for a company like SourceFire to fill.
MR. SANAMATO: So how is this good news?
MR. PTACEK: Once again, an important and ambitious security player
with a painfully constricted budget has been picked up by an industry
giant with a near-limitless capacity to develop their security line of
business by acquiring small companies.
MR. SANAMATO: ISS has acquired several small companies. Will the stifling
bureaucracy at IBM do any better?
MR. PTACEK: Imagine ISS trying to pick up any company in security with
more than $20MM in revenue at any reasonable multiple. You’re talking
about multiple tens of points of net assets; any of these plays would
be a bet-the-company move. IBM hasn’t come close to betting Tivoli on
the ISS takeover.
MR. STEINNON: This is all about services. IBM is already an ISS
partner for managed services so I expect a fast ramp up in product
offerings and it won’t be long after the deal closes that you will be
able to buy firewall and IDS managed services from IBM.
MR. SANAMATO: Does IBM have a chance selling firewalls to enterprises?
MR. BEJTLICH: The functions that ISS network security products
provide, however, are going to end up in Cisco switches. Those
features are going to be available as upgrades to sufficiently
powerful switches, leaving managers with the choice of running Cisco
plus other boxes, or just Cisco. They will choose “just Cisco.”
MR. PTACEK: I’ll object to that. On the one hand I think IBM will have
a hard time competing with the Cisco ISR on the one hand and
Checkpoint on the other. We have to see how much of an impact
“all-in-one” boxes, like IBM/ISS might try to field, will have on that
space. But the wholesale slaughter of enterprise security by
switch-integrated security is never going to happen.
MR. SANAMATO: Every major switch vendor is trending in that direction.
MR. PTACEK: It’s an obvious strategy. It’s doubly sensible for Cisco;
security technology on the whole, including VPN gateways, may add up
to less than 10% of their revenue in switching. Meanwhile, every
high-density security offering from a competitor is a potential
long-term challenger to their switch monopoly, especially at the
access layer. But that doesn’t mean they’re going to win in the
space. For one thing, it’s taking Cisco an incredibly long time to
execute on integrating security features with the Catalyst
platform. For another, it’s uncertain that the packaging everyone
envisions, security blades in Catalyst chassis, that those are even
palatable to large enterprises. In a lot of places that’s a forklift
upgrade.
MR. SANAMATO: But what about —-
MR. PTACEK: —- and don’t even get us started on the other switch
company offerings. Name 5 companies in the Fortune 1000, half of a
percent, that are seriously contemplating a new rollout of 3Com or
Extreme switches, outside of specialized applications like data
centers.
MR. SANAMATO: Well then —-
MR. PTACEK: —- and the most annoying part of this discussion. We’re
all stuck fighting the last war! ISS has defined itself over the past 5
years as the thought leaders in intrusion prevention. But is there any
evidence that any enterprise has really benefited from intrusion
prevention? My colleagues on the panel will protest, but they can’t
say I’m unreasonable for posing the question! Who’s going to lead
application firewalling? What product is going to make internal
segmentation viable? In 5 years, 80% of the Fortune 1000 will use
802.1x and Active Directory to assign every endpoint to a VLAN. What’s
going to sit in between those VLANs? Definitely not IPS. And obviously
we’re just talking about network security here. Someone’s going to
take a run at solving software security, too.
MR. SANAMATO: Enough speculation. On a scale of zero to ten, with zero
representing impossibility and ten representing complete metaphysical
certitude, what is the chance that the IBM takeover of ISS strikes a
death blow to the pure-play security market? Steinnon.
MR. STEINNON: Zero, John. I’m tracking over 850 vendors in my
database, and I can even pinpoint many of them on a Google map.
MR. BEJTLICH: Ten. Those that focus on host-centric products may
continue to exist, but there is a good chance that they will be
continue to be bought by Microsoft.
MR. ROTHMAN: Five. An independent security company’s only chance in
2006 is to find a small niche that doesn’t get them crushed by a major
player.
MR. PTACEK: Zero. Consolidation happens when consumers have fewer
suppliers for the same features and utility. IBM might be big, but
they weren’t an IPS player before. They probably won’t be in the
future, either, but they’re sure as hell more likely to buy another
security company now that they’ve staked a claim there.
MR. SANAMATO: The answer is ten. IBM, Cisco, Juniper, Symantec and
McAfee have put Checkpoint 7 moves away from inevitable checkmate, and
none of you are smart enough to see it. That’s it for today. Bye bye!
14 Comments
