Suggested Blog Reading – Tuesday May 1st, 2007
First day of May, and I’m feeling OK! The sickness has passed through me and I’m feeling 99% better with the exception of still being a little tired.
Here’s the list for today:
MITMing an SSLized Java App – Good article
I was recently working on a Java-based application that communicated exclusively over SSL. This is a good thing for the application, but a bad thing for someone trying to test it. I naively thought that I could edit a couple of files and boom, be on my way.
Encryption for PCI Compliance – Good discussion on key lengths, algorithms, backups, etc. to meet PCI compliance.
Although we have discussed encryption and the PCI requirements before, many people still do not understand how to properly implement secure encryption systems. So, this post is aimed to make this as simple to understand as possible by answering the common questions that people ask.
Nokia eyes scalability with new security appliance – You can keep throwing hardware at the problem but ultimately Check Point has to work on the performance of their software.
The IP690 is based on a multicore, multithreaded Intel Corp. processing platform to accommodate future software, including applications from other vendors, Taylor said. It’s Nokia’s first appliance based on this kind of architecture.
Power of Negotiation – Insightful post.
Spinning up a new security program is no easy feat. Neither is changing the direction of one that is already in place. One of the first things that everybody identifies as necessary is policy. Whenever the auditors come through and organization or department, documented policies are one of the first things they ask to review. But policies are one of the hardest things in security, or business for that matter, to generate and update. Heck, in comparison, ethics is easier than policies. In ethics, usually, when a person has to think about something then they are probably crossing the line. But with policies how much is enough and where does it start crossing the line. By line I am talking about things such as cost efficiency, individual privacy, and any number of other questionable subjects.
Think *ACCIDENTAL* Leak Prevention – It’s really like rubber sheets for your bed…just in case 😉
Here is a useful bit of insight that emerged from this discussion: if you think of such products as ACCIDENTAL leak prevention defenses, you will likely get over the intense desire to claim that “they are all hopelessly broken by design.” This idea was inspired by this post , which said: “There is no doubt that these systems are evadable […] Inadvertent data leakage is a different story [and can be managed effectively].”
Open Source Training – I’m not sure how valid Wireshark certification would be but the BSD one looks interesting.
I’d like to mention a few notes on training for open source software that appeared on my radar recently. The first is Wireshark University, the result of collaboration among Laura Chappell and her Protocol Analysis Institute, Gerald Combs (Wireshark author), and CACE Technologies, maintainers/developers of WinPcap and AirPcap. WiresharkU is offering a certification and four DVD-based courses, along with live training delivered through another vendor.
Wireless NAC != Wireless IPS: AirTight…Leaks… – Good assessment.
Rob Graham and I came in contact with some Airtight boxes. In case you don’t know they are a maker of wireless IDS technology. Since we know a thing or two about wireless we wanted to look and see how these boxes work and if the perform as advertised. If you don’t want to read the entire blog post the short answer is: not completely. In our quick peek we found 3 problems. If we were doing a real assessment we would have pulled out the screw drivers and, ICE gear, and disassembler but instead we looked at this from a blackbox remote perspective.
Should the Network Security Industry Exist? – Am I obsolete already?
Last week, I read that well known security expert and writer Bruce Schneier recently opined that there should be no network security industry, because software vendors should make their products so secure that there would be no need for third party security products. He apparently said this at the Infosecurity conference in London (which, interestingly enough, is sponsored by security vendors). You can read about his comments here (incidentally, all of us here hold Bruce in very high regard, so this blog post is not intended to be criticism of him).
Hiding Inside a Rainbow – Very clear post about rainbow tables. Didier’s been motivated since returning from Black Hat Europe 🙂
Steganography is the art of hiding messages so that uninitiated wouldn’t suspect the presence of a message. A rainbow table is a huge binary file used for password cracking. This is the first in a series of posts on research I’ve done on how to hide data in rainbow tables, and how to detect its presence.
XML Firewall Architecture and Best Practices for Configuration and Auditing – GSEC Gold Certification honors paper from Don Patterson (PDF format)
Stealth for Survival: Threat of the Unknown – GCIH Gold Certification paper from Ken Dunham (PDF format)
Re: Wireless NAC!
David Maynor of Errata Security recently posted some opinions about AirTight’s technology under the guise of a product test about what he refers to alternately as wireless IDS, wireless IPS, or wireless NAC technology in his blog. As Mr. Maynor is well known in the industry for his attacks on industry leaders (such as Apple, Intel, and Cisco), we feel we are in good company to be on his target list.
We have offered Mr. Maynor a conversation with me so that we may understand what equipment he tested, how he obtained it, what revision level it was, and to clarify his results, since this was an unauthorized ‘review’ of our product.
Maynor presents an incomplete and biased argument, as he clearly does not understand either the capabilities of or the design targets for the AirTight SpectraGuard Enterprise solution and seems to be arguing a semantic question about the common nomenclature of ‘wireless intrusion prevention’ (WIPS) indicating it should be replaced by “wireless network access control’ (WNAC). His blog criticizes AirTight for terminology driven by the industry analysts and used by the industry as a whole with no attempt to confuse customers.
Aside from the fact that all of the issues Maynor points out as problems apply to all of the Wireless Intrusion Prevention Systems (WIPS) vendors that are shipping products today and that some of the information about AirTight appears to come from a white paper from 2005 which tested a 3.0 beta version of our product, Maynor makes some naïve assumptions about our design targets and mis-states what AirTight has “advertised”.
Maynor’s concluding paragraph states, “[These boxes] should not be labeled either "intrusion detection" or "intrusion prevention". These devices have no ability to stop a driver level attack like the ones we have previously discussed.”
Maynor points out three “problems” from his perspective, which come to inaccurate conclusions:
Problem #1: Protection relies on deauth packets – which an attacker can ignore
Maynor claims that WIPS prevention can be circumvented if an attacker can plant a hand-crafted rogue AP into a corporate network. This limitation is not unique to AirTight — all other WIPS product have the same limitation.
AirTight has also developed advanced capabilities (such as wire side port blocking & selective virtual jamming) which can be used to offer more resistance to an attacker. AirTight’s session containment has been shown to perform better than any other vendor’s session containment (see the Tolly Group results on AirTight’s website).
Problem #2: a hacker can flood our systems and still gain entry
Again this observation is not unique to AirTight . If the reader is interested, we can share easier tricks which will cause other WIPS system to generate *wrong* information.
Theoretically speaking any software system can be attacked. WIPS are no exception. The real question is if a WIPS vendor has a technology/development roadmap to continuously raise the bar.
If a hacker were to launch the sort of attack (flood of probe packets) described by Maynor, SpectraGuard Enterprise would see this flood of probe packets – and this in and of itself would generate a separate alarm – causing a network admin to check the system – the defense in depth philosophy at work.
SpectraGuard is the only system which is actually able to block the most common types of DoS attacks and to do location tracking of a DoS attacker – both critical capabilities when dealing with a determined hacker.
Problem #3: We send out information about the network through our system
We are sure the author already knows that a rogue AP connected to a network already leaks a ton of information. An AirTight sensor does not disclose any more information that what is already available to an attacker through alternate means.
One of the points in this blog entry seems to be you can finger print network identity by reading some of the packets AirTight uses to identify whether a rogue AP is on the enterprise network. It is true that this technique exposes IP subnet identity but Maynor seems to have missed the point. An open rogue AP exposes more information than our sensor. For example – spanning tree protocol and other broadcast packets (e.g. ARP) exposes much more information about the wired network (default gateway IP/MAC address, etc) than AirTight exposes via our techniques. The bottom-line: An attacker doesn’t need to decipher AirTight’s packets to finger print (i.e. map out) the wired network.
AirTight’s philosophy is simple and our products are designed around it.
(1) WIPS should *not* rely on only one session containment technique (that is, De-auth based). AirTight was the first vendor to recognize this and is the only vendor today which has built non de-auth based session containment techniques in the product. The author unfortunately didn’t test those features and made pre-mature conclusions. Should this threat become real, AirTight already has the capability to contain de-auth resistant APs. AirTight provides access control at the level 2 layer using a battery of techniques beyond deauth and is the only solution which does this.
(2) Hackers will soon start launching attacks against WIPS. A WIPS not only needs to detect, prevent and locate threats, but also it should be able to protect itself. Similar to (1) AirTight was the first vendor to recognize this trend and is already building several defenses in its SpectraGuard product
In summary, security is a process not a product. It is always about raising the bar and multi-layered security is always required. A WIPS system is one layer but real time alerts, location tracking and physical remediation are always recommended as supplementary lines of defense.
No security solution is foolproof and AirTight does not claim foolproof security. None of us has a silver bullet but most IT managers do not face a determined hacker with a sophisticated black box on a daily basis, which seems to be what Maynor was using. If you did find yourself attacked by hackers, AirTight SpectraGuard is the best product to help you address this challenge.