An Information Security Place

OK people, we have a speaker for BayouSec. It will be on June 5^th at the Alert Logic facilities @ 1776 Yorktown, 7th floor, just south of the Marathon Oil tower on San Felipe. It will start at around 6:30 (finding that the later time is better).

Below is the information on the talk and the speaker. I expect the talk to last about 25 minutes, and then it will be open to questions and comments. We can just let it grow from there.

Thanks to Adam Pridgen for volunteering for this. In the future, if you have something you want to speak on, please let me know.

—————————-

Speaker:

Adam Pridgen

Title:

Reverse Engineering Software with Basic Protections

Summary:

The presentation will cover the basics of reverse engineering malware or any other software protected with basic protectors and packers using ImmDbg, IDA Pro, LordPE, ImpRefound, Wireshark, and an IRC server.  The presentation will walk through dumping the malware to disk, and then cover the general process I used to identify the command structure, functionality, and required parameters to interact with the malware sample.
Bio:
Adam Pridgen is an independent security researcher and contractor.  Previously, he worked for Foundstone Professional Services where he was involved with code reviews, threat models, penetration testing, among other tasks such as teaching and lab development for the Foundstone’s Ultimate Hacking classes.  Prior to Foundstone, he spent a little over five years in the security community working on software development projects, software testing, and in telecommunications for a variety of organizations.  Adam’s most notable accomplishments include an MS and BS in Electrical and Computer Engineering and an Honorable Discharge from the US Army.

—————————-

Vet

…for this interview?  It is titled "Embedding security has drawbacks says TippingPoint chief architect", but the explanation Brian Smith gives is about as weak as the American dollar.  Did TippingPoint marketing write the questions?  Sheesh.

Look, there is a need for embedded security AND security on the edge.  It really comes down to your business.  When good and fast security becomes built into the switch, I will look at it and judge it’s merits for MY BUSINESS (or my client’s business).  But this whole thing about switching and routing technology being outpaced by security technology is the largest piece of crap answer I have ever heard.  Of course the security technology is outpacing it.  That is because security is hot, hot, hot right now, and it has been for the last few years, whereas routing and switching are routing and switching.  But what does that mean?? 

Mr. Smith, was the incorporation of IPS into 3COM switches was a "fool’s errand", as you called it at 3:21 in the video?  Does that mean that you can’t incorporate the two?  Does it simply not work?  Is this just not feasible?  Of course not.  The reason you are saying this is because the 3COM / TP deal fell through for other reasons.  Plain and simple, 3COM was not in any kind of position in the switching market to make a dent.  I wrote about this a while back.  Here’s most of that post:

When I was an infosec manager, I was a TippingPoint customer. When I bought the TippingPoint box, stand-alone devices were still all the rage. UTM and NAC were pretty much still new terms. But right about the time TippingPoint was bought by 3com, the convergence track had started to emerge. Cisco was really getting into putting different devices in their switches. Things were really starting to move in that direction, and 3com probably thought they should do the same.

But just in case things were not what they seemed, 3com decided to test the waters (conjecture on my part, but plausible conjecture nonetheless). So they surveyed their customers (or TippingPoint customers, at least). I received one of these surveys. Among other things, it asked if I would buy a 3com enterpise switch with a TippingPoint IPS blade integrated into it. Understand that I come from the network engineering world. I have installed and configured many a switch and router. And for the immediate 4-5 years before this survey hit my inbox, 3com had been about as present in the enterprise switch space as a woman at an ISSA chapter meeting. The biggest place you saw 3com was on a NIC or a little white 8-port hub in a room full of cubicles. So, I answered a definitive “not no, but hell no”.

To clarify (if the above didn’t explain it well enough), it was the 3com switch that threw me. I wasn’t unhappy with TippingPoint (except that they had been bought by 3com). I liked the box. It served me well. If I could get a TippingPoint blade for the 4506, I would have seriously considered it. But there was no way I was going to replace my Catalyst 4506 with a 3com switch, no way, now how.

Of course, I cannot answer for every TippingPoint customer who received the survey, but I can guess that many of them answered the same way. And this makes me wonder if 3com and TippingPoint are sitting in ivory towers and ignoring the trends because it doesn’t compute that people don’t like their switches.

And to add one more thing that may add some credence to my hypothesis: I also had a couple of 3com reps come out to visit me during the final months of my tenure as an infosec manager. When my boss and I told the 3com guys that we would not consider in any way replacing our current switching infrastructure with 3com because of our impression of 3com as a serious player, they were completely surprised by our attitude. Now maybe they had never received that reaction before because we were just a little more harsh and up front with our opinions. But my immediate opinion was that they really didn’t know they had that kind of reputation. Maybe it is just me that thinks this about them, but I don’t think so.

 

So basically, what it came down to was that 3COM did not impress me, so I would never have bought their switches.  The IDEA was a good one.  They recognized that it was a good one.  But they could not make it happen because no one wanted to buy 3COM switches.  Plain and simple. 

Now let us get back to the business of security while you guys go try to fool a few more people.

Vet

The Internet is a nuisance. Really, it is. It never ceases to amaze me how much "trouble" the Internet causes.  Now I will be the first to say that it is possibly the best innovation in human history. But at the same time, it has also caused more problems, headaches, and heartaches than almost any innovation that I can think about. And it continues to redefine everything we do as a society and a race

I know this is really not news, but it just struck me when I was poking around the news this morning and ran across this article about some websites looking to sue the state of Oregon over publishing laws online (I have written about issues similar to this about governments and publishing SSN’s online here and here).  Here’s some of the opening paragraph:

Both Justia and Public.Resource.Org have been at loggerheads with the State of Oregon over their desire to publish the state’s complete body of law online, for free. While that sounds noncontroversial—state law even requires the laws to be offered as widely as possible—the state’s Legislative Counsel Committee claims copyright over portions of its Revised Statutes.

And as I started to think of something to write about this, it struck me that this was really just a symptom of a larger issue. Basically, the problem is that no one has figured out just how to deal with these issues because we have moved so far so fast in the last 15 years.  But why can’t we catch up? 

Seriously, we have been moving a the speed of light with technology for the last 100 years or more, and we have always been able to catch up with safety and laws pretty fast.  Cars were invented, there was the first crash, and then we started figuring out that we need to have some kind of traffic control  It may have been a while before it was worth a crap, but we caught up relatively quickly.  Then there were airplanes.  The Wright Brothers invented it (I have heard that it is debatable), then they crashed it and killed someone, and we figured out that we needed to make this safer.

Honestly, I don’t know how quickly people started figuring out that these types of things needed to be regulated.  Likely it was all about risk since there weren’t a lot of planes or cars around when they were first invented, so a lot of safety was needed yet.  But we got smart eventually.  Consider this quote:

It’s like trying to predict back in 1910 the impact of the automobile on society - the highway system, gasoline refineries, motels instead of hotels, new dating patterns, increased social mobility, commuting to work, the importance of the rubber industry, smog, drive-thru restaurants, mechanized warfare, and on and on. The net will bring more than quantitative changes, it will bring "qualitative" changes. Things that were impossible will now become inevitable. – Larry Landwehr, 1993

The move to adopt the Internet and the rush to make it better and faster just came to quickly.  Just like the Wright Brothers probably didn’t imagine planes that could traverse the globe in a matter of hours, the inventors of the Internet never really factored into their design a world wide public network that had to contend with a bunch of thugs trying to steal everyone’s information.  They were trusting souls who figured it would just be a bunch of geeks from colleges talking to each other over email because they couldn’t get a date. 

But it became so much more so much more quickly than anyone imagined.  And it pervaded everything.  And now it is a struggle to catch up because the people who are really trying to fix the problems are often contending with the bad guys and the people who look like they are doing something and are really just riding the gravy train that the security issues have created (I have been guilty of that and still am in many people’s eyes since I sell security services and products).

So how do we fix this stuff?  Well, short of bombing us all back to the bronze age ("Stone Age" is so overused, and bronze is shinier), I really don’t know.  There are theories abounding.  Some people say we need to go back to the people and get them to buy in to doing things right.  Some people say we need to leave them out of the equation and just implement technology.  Others say we should just start over from scratch and build in security from the ground up.  There are books upon books and speakers upon speakers (two more lucrative by-products of bad security) talking about security and the Internet.  But it all keeps coming back to one thing: we’re still insecure.

What I don’t understand is how the bad guys keep figuring out how to break in when we supposedly have people out there trying to find the flaws before they do.  Is it simply a numbers game?  Do they have that many more people looking than we do?  Do they have a much more lucrative job than we do, so they are better motivated?  Is it because the countries in which many bad guys reside don’t give a crap or just don’t have the resources to catch them?  All of the above?  What else?

How do we get ahead of this?  How can we put the same amount of resources into this to find the vulnerabilities before the bad guys?  People have tried to create communities and projects where they pay for vulnerabilities.  But there’s no guarantee that they are the only ones getting the results of their research. 

You know what?  I don’t see and end to this.  I think there is really no way to fix it.  This simply is a human problem.  There have always been bad people, and there always will be.  And since humans are imperfect and will make mistakes, the bad guys will find ways to exploit those mistakes.  There are smart people on both sides, and they will continue to struggle against each other forever (I know, kind of melodramatic).  All this talk about "security should have been built in" is just a pipe dream.  Security Nirvana is not possible.  There will always be mistakes.  Every time we come up with something new, someone figures out how to break it.  And yes, part of that may be because it is based on old, insecure technology, but the human element will always creep in.

I just don’t see another way.  Yes, there can be some model changes when it comes to how stuff is sold and what really works and other things can be factored in to make change happen on a substantial level.  But this is really what we have to work from.  I know there is a lot of room for discussion here, and I welcome it.  Please help me see this differently.  But for right now, this is how I see it.  I am not being cynical.  I am not quitting on security.  I just think it is going to be a protracted battle that will require dedication and persistence. 

Vet

Vet

OK, I know I started a personal blog so I could keep this place security centric, but I really just don’t like doing that.  As Alan would say, this is my blog, and I will post what I want.  So I have decided to start putting personal stuff over here again.  That being said, here’s a personal post.

Meet Lizzie:

She is a German Shepard / Rottweiler mix that we adopted from the SPCA.  We really went in there looking for a smaller dog, but she (corny alert) captured our heart before we really had a chance to look (I’ve heard the dogs picks the family, not the other way around, and I believe it now).  She is three months old, and she is already showing me she is one of the smartest dogs I have ever met.  And the family loves her already, even though the kids have felt the wrath of sharp puppy teeth from playing with her.

By the way, she is named after Elizabeth Bennet from Jane Austen’s Pride and Prejudice, even though I am pretty sure Austen spelled her nickname "Lizzy".  Austen is a favorite author of my wife and me.

Vet

Need a good one-liner?  Take a look.

Vet

…make Michael a low-volume blogger.  I have back and forth between Houston, Dallas, and Austin over the last couple of weeks, and most of those trips have been driving.  So, When I get to my hotel room or back home, I am just worn out. 

And work has been pretty hectic lately as well.  I have two statements of work due today that are pretty dang big, and I have a couple of conference calls to boot.

So all of that translates into low volume. 

I’ll be back…

Vet

OK, as much as it pains me, I have to respectfully disagree with The Shimel about his review on Iron Man.  First off, I really think you have to have some knowledge of the Iron Man comic story to truly appreciate this movie.  Clearly Alan does not have that history (and he is probably going to call me a dork or something since I do) when he makes statements like this :

I didn’t understand how he got the superpower, it was just a powered suit and how it worked was pretty silly.

HOLY CRAP!!!  That is near heresy in the Marvel Universe!  Tony Stark does not have powers other than he is extremely intelligent (I believe he developed some extrasensory powers one time, but I have not collected and read comics for a while).  That is what enabled him to make the suit and the piece of technology that powered the suit.

I have to say that while I do agree with Alan that the movie is predictable, I also must say that it is thus far the best big-screen representation of a Marvel Comics character.  It stayed very true to the original story, which is always very important to me.  In contrast, the Hulk movie was horrible and boring (have more hope for the next one), Daredevil was just pure idiocy (mostly because it Ben A Fleck in it - though the playground fight scene was almost as bad as the ice skating scene in King Kong), the Spiderman series has always been underwhelming (they have screwed that story up so bad that Spidey might as well be shooting webs out his ass), The Fantastic Four movies were just…well, I wish they weren’t (especially since they royally hosed Silver Surfer’s story and character, which really pissed me off since he is my MOST favorite Marvel character of all time), and the X-Men movies, while pretty dang good, were still off on the story lines.

I guess what this all comes down to is three categories:

1. You have no preconceived notion of what the movie was about, so you can enjoy it or dislike without baggage

2. You thought you had some idea what the history of the characters are, so when you see something other than what you expected you don’t like it (similar to Alan’s review in this case)

3. You are intimately familiar with the story line pre-movie and either love the movie for being accurate or hate it immensely because they screwed the story up completely.

Of course, then there’s the fourth group that would not go see the movie if they were strapped to a wild team of mad donkeys (my wife falls firmly into this category - love you baby).

So anyway, now that I have blown off some steam, I think the movie was good precisely because Tony Stark did NOT have superpowers.  He didn’t in the comic, and he didn’t in the movie.  Just a really smart dude who knows how to build really cool toys that just happen to blow up crap.  Kinda like Batman (yes, I know he is DC).

Man, I know way too much stuff about comics.  Oh, here’s a picture of me with The Hulk.  It’s remarkable how close our builds are, isn’t it?

And here’s what I looked like after I read Alan’s post on Iron Man:

UPDATE:  I think I will use the Hulk picture in the same way I use my Orange Juice Award picture, except it will be reserved for when someone pisses me off…

Vet

OK, I am going to do a little self-pimping here.  For those of you who have been reading my blog for a year or so, you probably know that I also blog over at Computerworld.  But if you haven’t been around a while, or you just plain missed it, please go take a look when you get the chance (and subscribe to the feed).  My writing is typically a little more subdued over there, simply because CW can’t have me calling people an ass. 

Also, there are a lot of blogs over at CW, and they have a bunch of different subjects.  The site is great (it has won some awards), and the editing staff is awesome as well.

OK, self-pimping is over.

Vet

First, let me be very clear that I have, in the past, downloaded music illegally.  I have also used pirated software in the past.  And while I can’t say that every song I have on my iPod is legal (simply because I can’t remember where I got some of them), I can say that I discontinued the use of pirated software a while ago.  So, moving on…

Don Tennant is an editor over at Computerworld, and he is also a blogger.  He recently posted a story that his son wrote while attending Worcester Polytechnic Institute in Massachusetts.  The story was about a group of pirates (software, music, and movie pirates - not the kind who says "ARGH") at his school who were very prolific in their pursuits and ended up getting caught and quite busted.  It is a great read, and it goes into a lot of good detail (Don, looks like your son got your writing talents). 

But as good as the story is, my point for this post is the comment that was made on the post.  Someone that didn’t post their name (people like this usually don’t) wrote a fairly lengthy comment.  Here’s the main excerpt that makes me cringe:

Sure what the students is doing is "illegal" but the fact of the matter is that there is nothing that they could ever do to completely stop this type of illegal activity.

Here’s my reply:

I worked for a company a few years back that built apartment complexes at major universities all over the country. We were also the ISP for the students that lived in our complexes. The network became a huge P2P site after a while (as well as a rampant malware playground). We received notices from the RIAA and others on a fairly regular basis about copyright violations coming from our IP space. It was nasty. We ended up putting in "application aware" security appliances and throttled down the traffic for everything but a few known apps. This worked even for traffic being tunneled over http, but anything https got through. Advances have been made since then, but it is still going on.

But this is not really a technology problem, is it? This is a moral and ethical problem that will never stop because people like Anon put quotes around the word "illegal".

That is really what this is about.  As long as people can justify in downloading music, movies, and software illegally, it is going to continue to happen.  This is not a problem that technology is going to solve.  The different industries have tried again and again, but to no avail.  It really comes down to people’s hearts. 

And having made that disclaimer above, I also want to say that I am not writing a "holier-than-thou" post.  I am simply writing this post to say that when you are breaking the law, no amount of quotes around the word "illegal" makes it OK.

Vet

I had a long talk with a client yesterday regarding IPS.  They were setting up a nice sized extranet infrastructure to serve their clients, and they needed to build some security into the design before they implemented.  They had already thought of a lot of pieces, and now they were looking at putting in IPS.  They were already being courted by one IPS company, but they wanted to know about others and what the strengths and weaknesses were.

So as I started into the discussion, I diverged a bit from the pure technical discussion and talked about the view of the network as a whole.  Basically, I tried to get them to look at the big picture of what they were buying versus just an IPS as a single silo.  What I talked about was how the one IPS they were looking at was an excellent IPS, but I also told them that they really had no big advantage over any of the other big IPS vendors in the market.  If you look at the Gartner chart for IPS, there are about 5-7 vendors in the magic quadrant.  Basically, the product is a commodity, just like anti-virus and other mature products.  Though some boxes have advantages over others, they all really can do the job.  Most are able to protect multiple segments and can handle multi-gig speeds.  Most have a default set of policies that are not very noisy and protect against the big threats.  Most are HA capable.  Most have fail open or fail close options. Etc, etc, etc.  Some people might disagree here, and I understand that.  One IPS might have a feature that another one does not that may fit a certain need.  But I contend that in a general sense, none of the big ones really have a huge advantage.

So in that light, what are the factors you have to consider?  Well, it really comes down to the intangibles.  Let’s look at a few of those:

Is the company diversified in their product line?  In today’s converging security market, that tells us whether the company is likely to be snatched up or simply disappear, depending on product quality and whether there is someone out there who has money and has a whole in their product line. 

Product diversification may also mean that the company is trying to take a look at the network as a whole versus just one piece.  If they have developed or bought different products that compliment each other and are trying to bring them together in a way that gives insight into the network and allow collaboration, then that type of company is likely planning on sticking around for a while.

In this light, also look at management of the product.  Though this is not exactly an intangible, it is still something that many companies don’t think about.  What about the learning curve for you employees?  Do you already have products from this vendor?  If so, does this new technology fit well into that console, thus lessening the time the your employees need to learn it? If a company fits the diversification example above, they might have a problem in this area.  Of course, if they are serious about making it work, they might very well have an EXCELLENT console.  Take a close look.  You also have to consider the talents of your employees with this factor.

Another intangible is support.  How well do they support their product, keeping in mind that the company with one product may be better at this versus the big one with multiple products?

There are probably many other factors to consider here, but the basic point is that when you are looking at a mature, commoditized product (this does not just apply to IPS, obviously), a decision should not be made on technical issues alone.  Look at your business. Look at your risk.  Look at your employees.  Look at the vendor as a whole.  Compare their position in the market to other vendors.  How do they stack up?  Do they seem to have tunnel vision, or are they trying to diversify?  Make sure you don’t let your technical folks make the decision by themselves and then hand you a PO to sign.  They may like the product in the short term, but you have to think long term.  You might piss off the team for a bit, but you can use the decision as a lesson to help mature your staff.

Vet