E-rant

I’ve been on about security threats being misunderstood and/or overblown.  And companies that are just plain doing it wrong.  But this one is a rare combination rant, about something that doesn’t exactly exist, and companies that are promoting this misconception.  And now it’s becoming a de-facto default answer due to stupid trade rags that regurgitate this piece of marketing excrement.  The recent RSA incident has finally sent me over the edge on this.

Advanced Persistent Threat (APT) is the pointless (and silly) term that’s been made up by smart industry professionals (shout out to Kevin Mandia) and grossly misused by marketing and executives.

Who uses this term?  Usually, any dipshit who wants to come off “smarter than you are”.  Like ‘this unfortunate incident was a result of Advanced Persistent Threat’.  Or ‘Does your product defend against APT?  Our product is the only one on the market with this capability’ (God help me if I ever read that anywhere).

What does APT really mean?  Let’s break it down, Wikipedia style -

Advanced – It’s good.

Persistent – It’s not giving up.

Threat – It’s after you.

Wait…  Did I miss something here?  Isn’t this the threat that we, as the IT Security Community, really care about?  All this time were we supposed to be on the lookout for the Advanced Slacker Threat?  Or the Moronic Persistent Threat?  The Moronic Slacker Threat??  They make stuff for all of that (anti-virus/spam, I[D|P]S, Firewalls, Web Filters, etc), and if you don’t have that stuff, you’re Not Doing It Right.

But wait… Don’t we, as IT Security Professionals already calculate Risk based on Threats and Vulnerabilities and hasn’t it been around, like, forever?  Sure we do - Risk is a function of Threat and Vulnerability, or more commonly described as:

R = T * V

Well, whatever.  That might be the idea, but typically we do a crappy job of defining threats.  In (almost) all cases, it’s glossed over like “sure, threats exist, and they’re everywhere, both inside and outside your organization”.  Then they go on to blather on about vulnerabilities (V) because that’s the cool stuff.

In the physical security industry, a threat is defined as:

T = P(Ta) + M(Tm)
(See below for a long dissertation about physical security, or just trust me… )

Which is the probability ranking of the Threat Agent acting against you P(Ta) plus the magnitude of harm the Threat Agent would have on your organization M(Tm).  If we plug in the physical value for Threat into the tried and true risk equation (and expanding out) we get:

R = P(Ta)*V + M(Tm)*V

Then there’s vulnerability.  Vulnerability is an inverse function of Effort to Remediate (Ee), expressable as V = 1 / Ee.  Vulnerability approaches zero as exploitation effort approaches infinity.  Hence, vulnerability is never zero.

So what does this show?  First, it shows that as long as there is some kind asset loss that would result in harm to your organization, you will always have Risk – which we’ve always known.  But more importantly, it shows that if you don’t have an asset that is both worthwhile for an attacker to obtain and which causes harm to your business, you don’t have any Risk.  Here’s some practical scenarios (assuming that these descriptions are the extent of the incident for demonstration purposes):

Would you care about one workstation being compromised to join a spam-bot army?  Just spam?  No.
How about that same workstation with a keylogger that records passwords?  Yep.
How about a whole bunch of those keyloggers on a bunch of systems?  You bet.
How about a website compromised to spread malware to external visitors?  Not so much.
SQL / Command injection attempts against front end inventory management systems?  Hell yeah.
Clear text passwords in use to manage mailing list subscriptions?  No.
Users evading web filters to surf porn?  Nope (unless we’re the government, clergy, or known hostile workplace).
“Rogue” sniffers running the internal network?  Big trouble.
Denial of service attacks against a public web presence?  Meh.
Phishing?  No.
Spear-phishing / Social Engineering?  Oh, my, yes.

Are any of the above new scary attack vectors?  No.
Have we been worried about these for years?  Yes.
Are they considered parts of what the proverbial “APT” will attempt to get access.  Yep.

So is it possible to defend against APT?  We’ve been protecting against APT for years, just not calling it that.  Duh - Winning!

——————————–

Physical Security Threat:

In the physical security realm, the term “adversary” is used.  When performing what is referred to in the physical security industry as a “Threat Risk Assessment”, one of the core constructs is identifying the adversary and what they’re after - the ”Threat Agent”.  Threat agents are sometimes generalized into categories, such as vandal, disgruntled worker, violent criminal, white-collar criminal, organized crime ring, corporate spy, activist, or terrorist.  Each of these Threat Agents may have a different motivation.  For example, a vandal is motivated to defame the target, whereas a violent criminal is motivated to exact physical harm to individuals.  Likewise, a terrorist may be motivated to cause the most harm to an entity in any way possible, whereas a white-collar criminal is motivated to gather items of financial value.

But you’re not done yet – the meat of defining the threat is coupling the above with the magnitude of loss that could occur with a successful attack.  The magnitude of loss is dependent on the motivation (target) of the Threat Agent.  Typcially this is expressed as something like:

T = P(Ta) + M(Tm)

Where Threat (T) equals the probability ranking of the Threat Agent acting against you P(Ta) plus the magnitude of harm the Threat Agent would have on your organization M(Tm).  Probability can be drawn from asset value – does your organization have something that the threat agent would like to have?  A lot of it?  If you’ve got a lot of it, you can safely assume a high probability.  If you lost that something, how bad would it be to your organization?  How about if you lost it several times (data is funny that way – reminds me of a joke about a prostitute, but I’ll save that for happy hour)?  That’s how to figure Magnitude.  This is a GREAT model to identify the threat, as it links the who, what, and why together.

or “Jim Jupiter vs. the Environmental Variable”

I consider myself to be a Competent Coder.  Capable and Cunning.  Composer of Cogent and Compelling Code.  Creative, without being Clever*.   Until I was put in my place by stupid cross-site scripting.

There I was, in the fall of last year, undergoing PCI scans from Coalfire, a reputable vendor that employs a bunch of smart guys (yep, that’s a free plug).  Figured this’d be a quick scan, fix some encryption settings, and I’m off to the races.  But that was not to be. 

Couple of findings on SSL self-signed certificates, and cross-site scripting.  Piece of cake – purchase stupid commercial certs, and fix up the xss.  Easy fix.

Not so easy.  The cross-site scripting drove me up a freakin’ wall.  Cross-site scripting!  Easiest thing to beat, right?  Just sanitize your input, and Bob’s your uncle.  But noooooo!!  This simple little freakin’ fix was completely out of my reach.  Hell if I knew why – I’m passing all my damn input through cgi.pm, then stripping out html entities manually…  but no bananas.  Jason (a rather patient guy) rescans and it’s still a problem.  “But…, but…, but… but it looks fine to me” I say to myself.  No xss in firefox, IE9, Safari, or Chrome.  It looks fine when viewing the source.  Hell, I even went as far as using wget to see what the f* the scanner sees.  And then just a “raw” telent request…

[clouds part, cue violin and harp music]

…And there it was – stupid, stupid, stupid html entities in the telent output.  Turns out all the browsers I used have a built in xss prevention mechanism that I didn’t disable (even freakin’ wget!).  But not telnet (obviously).  F*ck me. 

But why doesn’t the damn input sanitization routine work right?  Telnet shows I’m still outputting html entities to the page.  I even went so far as to use HTML::Entities to encode / decode before putting to the page to make sure I wasn’t missing some oddball character set.  Still - no go. 

After tracking this through the code, it turns out I was short-cutting some url rewriting, using environmental variables to create urls (a “Clever” solution).  Like for links to “next page” or other navigation items so that I could magically carry variables across to the next page view without having to know what was in the url in the first place (like changing page=1 to page=2 by regex on the REQUEST_URI and QUERY_STRING environmental variables).  Environmental variables aren’t “input”, per se, so they didn’t go through the filter.  ARRRGH!  So I run them through the filter, back out all the overkill crap I’d put in place trying to beat this fix into submission, and politely (sheepishly?) request a re-scan.  Presto, it’s clean.

So finally, after passing, I asked Jason (the patient guy who did the scans) what he was using to validate the finding, and he says “IE 8 with xss filter disabled”.  Duh!  That simple question could have saved me hours and hours if I asked it early on.

The moral(s) of the story:

1. Find the “disable xss filtering” option in your browser when validating this kind of thing.
2. Treat environmental variables as “input”. 
3. Your PCI QSV can provide a ton of information if you put your overblown ego to the side and just freakin’ ask.

Through this whole experience, I really, really, really tried to stay as professional as possible when dealing with the scanning vendor.  I came dangerously close to unloading on him out of sheer frustration caused by my own crappy code, but I bit my tongue.  Damn glad I did.

The end.

* – “Clever”, in this context, is a synonym for unintelligible.  If you’ve ever seen a “clever” solution to a problem, it’s probably in that block of code you skipped over because it didn’t make any sense.  Then when you finally sort out all the places the output goes, you come to realize that it’s a complete kludge.  “Clever”, my ass.  I’ve had a history of very clever solutions that I look at now and only see random ascii characters.

Last year, I made several predictions.  For the record / what it’s worth, I’m batting .500.   So this year, instead of trying to do better, I figured I’d just change the rules of the game.  For 2011, I’m making resolutions instead of predictions – significantly fewer unknown variables should result in a higher average.  For those of you interested in how the resolutions turned out, they’re at the bottom, below the resolutions.  But without further ado, here are my 2011 Resolutions To Make The World A Better Place:

1. Quit using bullet points and clip art in PowerPoint.  And no more than 10 words per slide, no less than 48 pt font.  Forced creativity. 
2. Learn how to actually use PhotoShop, not just doink around in it.  I think I’d have a ball pasting well-known people into rant-specific situations.
3. Host my own game show.  A recurring resolution that’s been on every Jovian wishlist since 1992.
4. Run a marathon OR keep my knee in one piece.  Either one would be ok.  Not holding out hope for both.
5. If I ever find these during an IT assessment:  
   a) default passwords
   b) weak passwords
   c) unpatched systems
   d) no (or uselessly configured) firewall
   e) no anti-virus
   … I will recommend the company immediately fire their freakin’ CIO and/or outsource IT to someone halfway competent.
6. Finally, I resolve to visit Lindsay Lohan in prison and sing her Justin Beiber’s “One Less Lonely Girl”, as I firmly believe she was the inspiration behind lonelygirl15.  (take that, Google PageRank!)

And here’s a quick recap of how my 2010 predictions turned out.  Please note that although they were for the year 2010, a Jovian “year” is 11.8 earth years, so I’m still holding out hope that in the next 10.8 years, some of these will make it.  Please check back on October 17, 2020 for an update.

1. Howard Schmidt lays low.  True!  Proven by his lily-livered, limp-writed, wussy (but timely) answers to questions in an interview with Newsweek.
2. Twitter dies.  Didn’t come true, damnit.
3. Andriod becomes hacker’s playground.  Missed this one, too, but I’m guessing I’m just ahead of the game and it’s coming.
4. Michael Jackson sightings rise astronomically.  True!  There’s a ton of them, the best ones recorded here.
5. Cloud computing suffers setbacks.  True!  Now that Microsoft has sunk its teeth into the buzzword, they’ll slowly beat it to death with odd permutations of what it means.  Then they’ll bury Azure like Microsoft BOB and ME. 
6. Control systems security appliances will flood the market.  Nope.  Again, I think I’m early.  When you’ve got an industry that tends to update technology on a semi-generational basis, the rush to market can be pretty slow.
7. Woods, Sheen, and Sanford in a TV ad.  I’m claiming true on this one because I saw a documentary on TV about “Sheen Woods” in Ireland, where there are a lot of redd foxx (get it??).
8. Cyber crime goes way up.  True, but really depends on your view. 
9. My love, Siobahn Gorman, gets a job at CNN.  Regrettably not true.  Interestingly, though, she’s steered clear of the Stuxnet hoo-ha other than her initial report where she quotes a US military official implying that “we” did it.
10. Netbooks overtake the “smart phone”.  Ok, so I missed this one entirely.  Note that this was written when the rumored name of the iPad was the iSlate.  And I incorrectly figured that the iPhone would be absorbed into it.  It amazes me how wrong I was – I totally forgot that Apple (et al.) would rather sell TWO devices to people.  Silly me!
11. Translator still laid off for 2010.  Not counting this one.

Hear ye, hear ye!  The great soothsayer shall hereby speak the future truths…  All ye children, lady-folk or otherwise sensitive should avert their eyes.

Microsoft is killing off the term “Cloud”. 

I just sat through yet another stupid “cloud” commercial from Microsoft.  Of the two of these that I’ve seen, one is about Picture-Maker, which is a locally installed application, and the other is Remote Desktop.  Both of these have nothing to do with a “cloud”.  Picture Maker, in fact, can operate with no network connection, except for the “share” function – which has nothing whatsoever to do with the perfectly cropped images she seamlessly drags and drops into place.  And how in God’s green earth did remote desktop become a cloud service?  What the hell, Microsoft?  Have you lost your mind?  Are you (again) trying to redefine things so you can say you invented them (see “MS TCP/IP”, and “IE”)?  You’re like a freaking Dilbert strip.

The Oracle of all things ludicrous has spoken.

Hot off the presses:  Nothing.

Per Fox news – Pentagon Spokesman Col. David Lapan said Monday the Department of Defense can “neither confirm nor deny” reports that it launched this attack.

A standard reply on subjects of national security, I suppose.  But you may note that there’s not a whole lot of hoopla going on or statements from the Pentagon that we’re scrambling to make sure it’s not going to happen here.  While it’s true there are serious things going on led by serious people in serious organizations to reduce the possibility that it will happen here (mad props to my homies at NERC / FERC / even DOE), but no official statement from the Pentagon encouraging the private sector to batten down the hatches. 

On the other hand, the only place I could find this wishy-washy, standard-practice Pentagon statement was via Fox News, so take that for what it’s worth.

All in all, I still stand my previous implications of the Chapman / Jackson spy team.