Enterprise Application Whitelisting
|
 RSS Feed
Posted by Mario Vuksan on Sun, Mar 22, 2009
Earlier this year at EuSecWest 08, Sebastian Muñiz of Core Security has demonstrated how to unpack and repackage Cisco IOS binaries. Effectively this showcases how rootkits can be embedded inside a valid Cisco IOS image. There are valid uses for this, especially when it comes to debugging, troubleshooting or penetration testing. But the upside potential is staggering, especially given the proliferation of fake Cisco hardware sporting fake CISCO software. Even US Government is aware of tainted hardware that has made it into Government purchasing streams.
In their defense, Cisco has published a guide for Network Administrators urging them to double check MD5 hashes of their router software. Now what happens if Cisco OS components are customized?
Posted by Mario Vuksan on Sun, Mar 08, 2009
Given that the encryption is moving into firmware of embedded chips and devices, it is just the matter of time that this types of attacks will become a common place. Researchers at Cambridge University have used paperclips and needles to tap into chip and pin terminals to record a magnetic stripe data and PIN from ATM cards. Needless to say, you do not need to break into an ATM, a typical cash register would do just fine.
Connecting onto pin terminals harks back to attacks and investigations of the past, but just as MBR Rootkits is making a comeback.
Posted by Mario Vuksan on Sun, Mar 01, 2009
It has been touted that Virtualization is a more secure alternative to today's physical real estate approach to coming.
Yet X-Force ISS Report tells us to be prepared for new attacks against the Virtualization infrastructure. For one, discovered vulnerabilities against virtualization software are at all time high.
Report claims that " although virtual machine breakout vulnerabilities tend to get a lot of attention from the press, they are rare" and they target solutions that predominantely require a fulling blown operating system.
Hypervisor solutions are cure for this as they remove, for example, a RedHat Service Console (in VMWare's case) from the mix. Similarly Microsoft's implementation tries to remove all the unnecessary components from the stripped down OS as not to be affected by any fringe vulnerability.
It is very likely that new hypervisor compromising
malware, attacks on management infrastructure, and other
malicious activity will make headlines very soon. Yet, hypervisors are a very safe today. After studying their structure, we can safely challenge the world to break it and evaluate it. It will not be easy.
Posted by Mario Vuksan on Sun, Feb 22, 2009
New Centrino platform will be all of the rage at the upcoming Black Hat
2009 conference in Washington DC this February. Joanna Rutkowska and
Rafal Wojtczuk will evaluate attacking scenarios against
Intel's Trusted Execution Technology.
Intel's efforts to bring a fully features Web Server directly into the
Motherboard has been discussed on numerous boards and has been
highlighted by Ivan Krstic in his keynote at the First Conference in
Vancouver earlier this year. Subverting permanently one's motherboard
may end up being the ultimate acts of subversion.
So what's all the rage. You can read on Intel's pages:
" 3. Intel AMT Platform Security
While one of the key usage models for Intel AMT is that it allows
management applications to access client computers when they are in a
powered-off state, the radio in a wireless network interface card (NIC)
is typically not operational in power states other than S0. Thus, no
wireless Intel AMT functionality is available when laptops are powered
down or in low-power modes (sleep, hibernate, etc.).
Going one better: "Intel AMT Releases 2.5 and 3.0 are concurrent
releases, with Release 2.5 supporting wireless capabilities on mobile
platforms and Release 3.0 supporting wired PCs. "
You may not need a physical access anymore, but rather wardrive through
a neighborhood or just take a public transportation to attack all those
laptops that do not even need to be powered on.
Accompanying the Centrino Duo and Centrino Pro release were
announcements of new notebook computers from Hewlett-Packard, Gateway,
Fujitsu, Sony, Toshiba, Acer, Lenovo, Dell, and others. Several hundred
new notebook models with the updated Centrino platforms are expected to
be released and make this technology ubiqitous.
Posted by Mario Vuksan on Sun, Feb 15, 2009
Here's a great illustration of effectiveness between IDS and Endpoint Lockdown as we have implemented it. Having a passive IDS (Intrusion Detection System) product in your Enterprise is akin sitting in a train and snapping pictures of the world that goes by. You may see bad things that you would have liked to have eliminated, but it is usually to little and to late.
On the other hand, your ability to eliminate all the unwanted or unknown components each and every time, gives you the protection for exactly the same motives that an IDS system was bought, additional visibility. As in example, you need to whack exactly what is wrong, and whack them all without a mistake.
Posted by Mario Vuksan on Sun, Feb 08, 2009
Most organizations permit use of alternative Email clients. We all have our preferences. I still love Pine under Unix, for example. Yes, a bit retro. But, where's the line between an alternative Email client and a SPAM tool? They both send email, yet a SPAM tool does it more efficiently. A good SPAM tool may even be a great commercial product with a large price tag or even with Anger Management features. Should an Enterprise IT department monitor a list of Email clients used throughout the organization and pick only the top 10 to 20 most popular ones, and disable these boutique tools used by employees that have too much free time or too much desire for a quick buck? Down side for having your Enterprise IP segments blacklisted is known. A lot of SPAM from your organization creates brand damage that goes beyond the inability to send or receive domain from a certain mail servers. Depending on where your internet or web services traffic is destined to, it may be subjected to stricter control and outright traffic denial.
Posted by Mario Vuksan on Sun, Feb 01, 2009
Spyware has generally taken to mean a low-tech malware that is more of a nuisance than threat, unless it tries to steal my personal data. And, given the sophistication of today's cybercrime gangs, spyware is below the belt. They are interested in rootkits, sophisticated botnet C&C protocols, etc.
Yet, we should look below the surface and ponder how bad would it be to find Credit Card Generators in your Enterprise environment. It surely cannot be permissible according to the corporate policy. Even worse, there will be liability for damages generated by the rogue employee even though he may not possess an immediate threat to the company itself. Any software used for outright criminal activity, although not necessarily malicious from the IT security's perspective, should be controlled by Enterprise IT departments.
Posted by Naveed Ihsanullah on Thu, Jan 29, 2009
This article, man-buys-used-ipod-gets-60-pages-of-sensitive-military-data.ars, on Ars Technica made me both laugh and groan. The subject of the article purchased a second hand mp3 player. Apparently the former owner was using the device as a removable storage disk to ferry data around. Many of us have done exactly the same thing. The difference, however, is this data contains the names and personal details of US soldiers The US government has many rules and processes that govern secure data. There is a wealth of information on this at the Federal Information Security Management Act (FISMA) NIST site. We can guess at which rules and what processes the original owner violated to enable this breach. That exact rule broken isn't as important as recognizing this breach happened because it was possible in the first place. In the effort to get jobs done short cuts often are taken. I can certainly think of a scenario where, in a time crunch, this government employee took some secure data home so they could finish up their task over a weekend. His employer may have acknowledged the sensitive nature of the data he was working on and required that this data exist only on computers attached to a secure network that has no connection to the internet. Unfortunately that tempting front mounted USB port calls to people. They bring in their camera and music player, their USB keys and webcams. Heck they may even bring in their USB rocket launchers to blow a little steam at the end of a tough day. This article isn't the first time that removable storage has led to data loss. The massive TJX breach comes to mind. More recently the details of more than 6,000 prisoners was lost. Through malicious and accidental acts gigabytes of data leak out USB ports around the world. Physically removing USB ports may work for some organizations. Some have even suggested epoxy as an answer. USB ports have their uses, though, and these tactics are often too extreme. Antivirus and application whitelisting software can prevent the running of malicious code from these devices but they don't adequately address data loss issues. What then is the answer? Whitelisting hardware is something that is still in its infancy but for this class of problems I think it shows a lot of promise. Selectively allowing USB devices by the device's serial number or by the logged in user allows a flexibility that none of the others solutions posses, not even epoxy. :) I would love to hear your thoughts on these issues. Are there better solutions out there that we, the security industry, should be exploring? --
Ex post facto introduction - Since this is my first time blogging for Bit9 a quick introduction might be in order. My name is Naveed Ihsanullah. I have worked in the field of software development and security for the past fifteen years. I have always been a firm believer in white listing as a solution for IT infrastructure control and to the ever increasing glut of malware. After hearing about the exciting Parity product, I joined Bit9 in Autumn 2008 as a Development Architect.
Posted by Mario Vuksan on Sun, Jan 25, 2009
It is old news that Seagate has built-in encryption directly into the hard drive firmware. In short succession the rest of the industry has followed suit or announced plans for it. This has made digital forensics practitioners screaming in agony ever since, as if it was not hard enough sifting through TBs of data that a typical Enterprise investigation now takes.
Researchers and more importantly intelligence professionals have been playing with cold boot attack mechanism, bringing in a healthy dose of science fiction into what really is a purely digital problem, by spraying DRAM memory chips with a coolant, so that HD encryption keys could be taken out. Here's an interesting report from Bruce Schneier.
More interesting angle to this is to consider the encryption firmware itself. Should we mention that it may be highly proprietary and difficult to reverse? Or not, but how are we to know? Or should we fantasize about some government's hidden backdoors and decryption mechanisms that were forced upon these hardware vendors? Think US Government, if you are on the left, or Chinese or Russian if you are on the right. Last Year Chinese offered to buy Seagate. It caused quite a stir.
We do not have problem with encryption. Protection is a right (should we say your first amendment right?), but we need to be able to certify our encryption solutions and verify their functionality and integrity long after the purchase date. Only in that way, will we be protected and assured of our digital assets. In a more open environment, even forensics solutions will find a way to adopt and use more straight forward ways to acquire the data.
Posted by Mario Vuksan on Sun, Jan 18, 2009
There are hundreds if not thousands of anti-malware researchers who are extremely hard at work trying to give us the best possible set of signatures, the best possible protection against the bad things that are trying to harm us. They are the so-called blacklisters. We need to thank them. We also need to explain that not all security products fix all security scenarios. New challenges are making the old processes obsolete. Advances in security breed advances in malware creation, hence the flood of incoming samples.
Application Whitelisting in the current form, on the other hand, does some things extremely well. It is the best solution to lock down an end point to an acceptable set of applications and their derivatives. It has always been a challenge to deal with automatic updaters, patches, services packs and the like that continually change your system's basic software image. Application Whitelisting can give the flexibility of forgetting about these challenges and focusing on a positive security model.
But lockdown is not for all end point or all end users. They may need to have a flexibility to experiment, go outside of the box and drill down into more exotic areas of the Internet. Even though, Application Whitelisting could help them with software reputation and software assurance that the system has not been compromised by unknown software applications, it is still very prudent to combine the benefits of a whitelisting solution with that of a typical anti-malware suites.
All Posts | Next Page
Error sending email
Email sent successfully
|
|