Bit9

Here's one of the most brilliant illustrations of a principal software assurance problem. It is a story of a lonely burrito, and what do we really know about software in our environment? It was created by Brian Chess, Chief Scientist and Founder at Fortify Software for the May meeting of Software Assurance Forum. Full presentation can be found here. It does an amazing job of telling the story.

So what do we do when we presented with a tasty burrito? We can wonder if it is really a burrito? What is it filled with? These are easy tasks. Unwrap the tortilla and ingrediants, although mixed, will be self-evident. But does it taste good? Easy task, try the burrito and determine if you want to proceed. Yet, it is not possible to easily tell where this burrito has come from.



Burrito is a wonderful analogy for a software application. How often do we find an application on our system that looks and feels like an application, but we do not know what to do with it? If it is an installer, we can install it (hoping it is not malicious) or we could do a bit of reverse engineering to probe the internals. Then, if still curious, we could get a taste for its behavior by running it. But we still will not know where that software application has come from, baring the existance of a digital certificate.

Bit9's Global Software Registry helps you with just that, being able to tell where files and software are coming from. It is not an information that is extracted from the software itself, but matched against a trusted central repository, which by using cryptographic hashes, the digital world's equivalent of DNA matching or RFID scanning, can accurately determine where a piece of software has come from.

Defcon is next week. Race2Zero is Defcon's contest that will attempt to create new strains of malware in order to test security capabilities of Anti-Malware products. Setting aside fears that some of these strains could be released to the public, it is an ethical question: Should malware be created for fun and game?

All malicious samples should be treated equally, as they could all be potentially released at one time or another, by malicious intent, by a data breach or by mistake. Yet using artifically created samples to test products that were built to protect from threats iin the wild is not a reasonable study or contest of any kind. It is no secret that anti-malware solutions have their weak points, and pointing them out with bogus examples does not make them any better or the public any safer, in my opinion.

The problem resides in the limited space each anti-malware solution needs to reserve for signatures of truly virulent and prevalent malware samples. Filling signature databases at the end point with thousands upon thousands of signatures for "fun" experiments is not a very good use of time for those few malware analysts and it certainly adds to the performance burden end user experiences.

From the perspective of our Global Software Registry, however, we are looking forward to receiving the Race2Zero samples. If it has been created to run on a computing machine, for fun, profit, game or by mistake, it should have its reputation assessed and we will be doing that. Such information is then of paramount value to any end user, researcher or automated process that may stumble upon it.

On the issue of whether we should be scanning on the endpoint -- the samples created in the lab are few. Because of this, we should not burden the endpoint. But there is no reason not to hammer a database index in-the-cloud as there we are not limited by space and performance constraints of a personal computer. Bit9's Global Software Registry functions in the cloud just fine with almost 7B entries. Comparatively, a typical Anti-Malware Suite keeps a 1-2M entry index on each computer.

Cuil.com launched on Monday demonstrating that it is possible to keep extremely large indexes when necessary. They claim to have a 120B entry index, three times the size of Google's.

In security, we have been afraid for way too long of technical complexity. It is time to embrace it. And put it in its proper place.

It is amazing that all of the recent attacks against Point of Sale (POS) terminals share similar parameters -- these attacks were done by unauthorized applications that do the dirty work. 73% of attacks come from outside of the organization, with Eastern European focusing on getting to the data available through our POS systems. A full Verizon Business report is available summarizing some 500 data breach investigations that the company has done over past few years. The majority of the attacks use a "foothold" -- a Trojan, bot or a persistent exploit to grab the data.

More disturbingly, in the recent Identity Theft Resource Center's report is that 82 percent of victims learned about the breach from their creditors or worse, collection agencies. Going down the path of shame -- 62 percent of the respondents to the ITRC survey reported that thieves had committed crimes, such that warrants were issued in the victim's name. That should really be a rallying call for all of us.

 

The interesting thing is that most of these attacks could have been prevented by simply locking down the perimeter servers or Point of Sale terminals that are used as entry points to the network. 

One of the new ways to do this is to employ Application Whitelisting, which can clearly articulate what types of software are trusted, e.g. signed by your department or your trusted set of vendors, so only those trusted applications are allowed to run.

It seems that hackers love attacking the North East. First the TJX Breach, then the Hannaford Brothers, and now the Okemo Mountain Resort in Vermont and in Connecticut. Even Dave & Buster's has locations in Rhode Island and New York. These targets are very lucrative places for credit card numbers as New Englanders seem to be quite wealthy to various, Russian, Ukrainian and Estonian eyes. Law enforcement reported at least 50 such investigations in the North East alone!. It is imperative to employ Application Whitelisting in locking down attack beach heads - the point of sale machines -- to turn the tide.

Courtesy of our friends at PCTools came this interesting piece, and all correct. Video didn't kill the Radio Star. They all lived happily ever after. The goal of combining whitelisting with blacklisting is always to combine the best of the breed solutions and utilize them for the maximum effect.

Whitelisting can do wonders to improve, speed up and scale the Anti-Malware solutions of tomorrow. Everybody is getting on this bandwagon: Kaspersky, Symantec, Trend Micro, PCTools and others. Robert Vamosi explains well these recent approaches.

What is not talked about in this context is the power of Application Whitelisting to replace Anti-Malware solutions altogether. Tom Murphy talks about this. Bit9's customers have found out that there are scenarios where pure Application Whitelisting is sufficient to secure the endpoint. For example, any organization that has attempted to secure and control approved software images can take advantage of Application Whitelisting and endpoint lockdown. Point-Of-Sales (POS) terminals, servers, trading stations, single purpose virtualized sessions and almost anything that is not a "personal" computer or a laptop can safely be locked down. They should not be able to run P2P applications, games, or Trojans.

 

As security is moving into hardware, network cards, hard drive firmware and motherboards, are starting to look more and more like mini-Operating Systems. This is all the opposite direction to where the TransMeta promise would have taken us.

But from the security perspective, it appears that the security infrastructure that we have been building so far will be useless as well. This is something that is already happening with Virtualized Environments as people are expecting new tools and new technologies to be developed.

We can expect hardware components to be owned, participate in distributed attacks and permanently shut our ability to easily recover already at the hardware level.

How often would you be patching your firmware embedded web browser?

More software complexity will expose more bugs, more vulnerabilities, and will bring in more third party code to erstwhile monolithic code bases. It will be interesting to watch firmware updates performing automatic over the web updates. I wonder how will it inform the user of the impeding system reboot request? Let's assume for the moment that the time of trivial protections against random firmware flashing, and PDOS attacks are over.

Intel's Centrino Active Management, built a web server into your motherboard, allowing you to quite easily override the behavior of your hardware, firewall rules, etc., even when the machine is powered off. This is all quite alarming on the Cryptography mailing list. Ivan Krstic, one of the most influential security minds according to eWeek, has been quite severe in his keynote address at the FIRST 2008 conference in Vancouver. Obviously, all the rage is over advanced "features" that are now accessible to anyone even when the machine is powered off. I bet Ivan hasn't read Eric Filiol's piece from July's edition of VirusBulletin that talks about accessing RAM when the machine is powered off. Yes indeed, data continues to persist. Let's welcome a new set of spy movies.

From the Application Whitelisting perspective, this is a worthy opportunity, since who will not want to have the firmware image locked down? You just want the trusted components and their updates to reside in the hard to reach depths of your hardware. But to get there, we need to start promoting some basic standards and procedures. For example, this still seems to be quite relevant. For purpose built operating systems, firmware images and appliances, a control harness that limits the built-in OS to do only what it should, has to be a priority from the security aspect.

This was a particularly well thought out blog post from Threat Fire on whether whitelists will kill AV or work with them. It is a response to CNET writer Robert Vamosi's article  Defense in Depth column on whitelisting that quotes Bit9 CEO Patrick Morley. The Threat Fire writer talks about AV and whitelisting working together, with AV eventually - in the future -  becoming commoditized (JAMPoJ if you like silly jargon). When the writer talks about the whitelisting solutions sitting beside the "more exposed" whitelisting ones, I take it to mean that whitelisting will be the first line of defense at the endpoint - stopping malware and unauthorized software from running. In terms of when this will happen, there is  the ideal and then there is the real. When it comes to innovative technology like whitelisting, it will not be a wholesale change, but a more gradual one as the Threat Fire writer said.

 

Thinking back about Dave & Buster's breach. People are saying that protocol obfuscation made possible by vendors like Arxan, VI Labs and Cloakware would fix these flagrant theft attempts. Dave & Buster's & Hannaford Bros data was stolen because their wireless data was being transmitted in the clear. What has not been told is that systems were compromised with backdoors and unauthorized sniffing software. Had that not been the case, attackers would not have had the chance to get to the data in the first place. This is the ancient debate of should I secure the network or the endpoint?  I would argue that you need to do both. Endpoint systems like POS terminals have to be pristinely clean. Application whitelisting helps here immensely. Imagine, what could be the purpose of unauthorized components on such a system?

Every other week unchecked POS systems end up costing organizations dearly. Credit card number from only one of Dave & Buster's restaurants rung as much as $600,000 in unauthorized charges. The culprit was unauthorized network sniffing software. This sounds very similar to Hannaford Brothers scenario. How much of card member's money needs to be spilled before users of POS systems realize that their devices are not meant for surfing internet and playing games?  They should rather be machines whose configuration needs to be locked down.

 Even more so Peter Tippett, VP at Verizon Business claims that 45% of all breaches have a POS element. He would know as Verizon Business is exclusive forensics investigator for Credit Card industry when these breaches happen.

Not to boast our own successes, but everyone should look up to what Marks & Spencers is doing in UK. All POS systems need to be locked down with application whitelisting products like Bit9 Parity.

We couldn't agree more with Carl Weinshenk in his piece on Malware Protection. Blacklisting and Whitelisting will co-exist. Questions of whether something is good or bad, good for me or bad for me, are part of the same continuum of the same curiosity about files and applications that cannot and should not operate in vacuum. It is obvious that someone would want to know that unapproved or unauthorized piece of software is in fact malicious. Similarly it is of paramount value to offer the user a comfort of knowing that a suspicious piece code on your machine (e.g. svchost.exe) is in fact a legitimate part of your Windows OS distribution.

 

Ever since Symantec CEO John Thompson's keynote at the RSA Conference this past April, there have been several stories that quote statistics claiming that there is more malware produced than bona-fide good code.  At first it sounds quite alarming, have the bad guys won?  Do bad citizens outnumber the good ones?  As most of us do not believe such alarmist hoopla, these claims merit some looking into.  There may be more and more criminals focusing on Internet theft out there, as the population grows and the opportunities for cyber crime increases.  However, it is questionable whether there is actually more malware produced than good software.

 

The Bit9 Global Software Registry database grew 300% in 2007.  From what we have seen, by collecting the world's software in this database and cataloguing it, is that the amount of malware has only doubled in that the same period, based on most aggressive of reports.  This leads me to believe that there is not more bad software out there than good software.

 

Yet, the story of faulty statistics keeps being retold. In InfoWorld, the reporter quoted Thompson as saying there was more malware than good software. In ComputerWorld it was written that only in one month more than 54,000 new applications were discovered (BTW, Bit9 discovered more applications in a single day).  The story said the majority of them were malicious and it attributed the data to Symantec's Community Watch.  What we are not told in this story is that this system is looking only at new and suspicious applications among Symantec Enterprise customers.  And it is ignoring all other uninteresting but good applications.  Think about suspicious apps as something a HIPS or a Behavioral engine would detect.  Does this mean that Symantec's Community Watch approach to discovering malware yields as much as 50% of false positives? 

 

What is clear, is that there is a significant growth in the quantity of malicious software, as all anti-virus vendors and analysts have spoken about. In fact, Gartner analyst Peter Firstbrook called it the "explosion of the malware universe" recently at the Gartner IT Security Summit Conference in Washington, DC.  The most important takeaway here is that to keep up with this flood of malware, a new set of tools is required.  Existing products will not suffice for much longer, as the industry and analysts are painfully aware, and as such there will be more and more stories and technologies exploring approaches, including whitelisting.