Saturday, June 07, 2014

New significant issues - IE and OpenSSL

One Extremely Important Patch Tuesday!
This coming patch Tuesday we'll have a patch (hopefully) for an IE bug that's been in the wild for about 6 months depending on the source.  A CDATA use after free flaw that apparently can be exploited by javascript and it affects a broad swath of Windows systems.  For once the details have been withheld as near as I can tell which is saying something.  Usually someone leaks the info and you have a bunch of bad actors using the code.  If it hasn't been leaked it would be a super-human triumph over our natural instinct to put ourselves above the security of others. Kudos to the researcher who apparently hung on for a very long time to a massive exploit that could have been running Godzilla-like through the computer world otherwise. Even though Microsoft was slow to put out a patch the researcher held out and did the right thing in my opinion.

Open SSL was cracked wide open again
If you believe that only poorly made products are vulnerable to security issues or if you're one of those who believe that only open software is exploit free then you might want to rethink your position.

Open SSL has been made much more "open" by a new CSS Injection bug. (here) This allows an attacker to force an Open SSL implementation of SSL/TLS to use weak key material and thereby allow a man-in-the-middle attacker to decrypt a session potentially.  But this is not the only issue... consider the DTLS recursion flaw, DTLS invalid fragment vulnerability, SSL mode release buffers null pointer deref, SSL mode release buffers session injection, and the anonymous ECDH denial of service.  Basically you have a recipe for disaster if you're a APT soldier for hire.

I believe that two forces are at work here on the sudden explosion of exploits against the underpinnings of our online world.  
A) the Snowden revelations 
I know it may seem far fetched but the reasoning is thus: if you know that there is an organization with the ability to deconstruct and observe much of what we do online you must also assume they have the means to do so.  If you believe they have the means to do so, you begin to open your mind to the possibility that encryption systems we rely on are more vulnerable than what we originally thought.  From there, it's logical to take a second look at these encryption systems.  When we begin to find that there are significant flaws we prove the supposition.  Once we prove the supposition true the cycle begins once more and we look deeper, finding more issues and so the cycle goes.

B) the Eye of Mordor principle
When the curiosity of the hacking world is focused on a fad or the exploit-du-jour we see a phenomenon which I call the "Eye of Mordor". Essentially the focus of the hacking world is collectively the "Eye of Mordor".  Once the eye focuses on a single product or company etc. then the bugs start to be ferreted out. A case in point was the focus of The Eye on Microsoft's operating system.  Now that Linux is represented on more desktops it begins to draw The Eye just like when Frodo put the ring on.  

What does that mean for the future?
I predict we'll see a lot more ground-breaking attacks on crypto and against the underpinnings of the systems that employ it.  We'll see the world begin to get more serious about staying secure from everyone and everything else. No product will take off without having strong encryption and bold marketing promises to keep data out of the hands of virtually everyone. Lastly, governments that like to skim data, in an effort to satisfy themselves that everyone is playing ball, will find other means of getting it... probably by new regulation. 

Friday, June 06, 2014

Is antivirus a waste of time?

Symantec turns from prevention to remediation (article) as the company comes to grips with dropping detection rates for new viruses and malware.  Many savvy companies have already begun to analyse viruses using multi-engine systems like Virus Total which can generate a consensus on a piece of malware if you're lucky.

To what do we owe this great turn of events?
a) Could it be the cool tricks APTs use to bypass antivirus disclosed at RSA 2013?
b) The tips given at BlackHat 2013 to fool virus engines?
c) Could it be the codifying of those tricks into Metasploit for the script kiddies to push-button hack?
The answer is Yes.

The tricks used by APTs and by hackers in general to bypass anti-virus are very easy and extremely effective... so much so, that trying to detect them would be almost impossible and if detected would lead to a huge amount of false positives since many programs share those same API calls.  So the former revelation by Symantec is just common-sense... not a shock or even really that surprising.

So what is a person to do?

For a long time now I've championed the use of a Trip-Wire like app.  Just a simple hash of files and key registry segments... if those areas change then the user is given the opportunity to restore them to the original settings.  You can take this idea as far as you want, with VMs or what have you.  User's are not perfect and we all know they can be fooled easily but even savvy kids know that when they're surfing the web they should not have something get installed that they didn't ask for.

I agree it's time to go back to a leaner AV with greater attention to segmentation of information and an absolutely rock-solid restoration capability.  There are few things more frustrating than removing a virus only to find that you have to re-build a home user's machine from scratch because there are still tentacles of the bug infesting the remotest areas of the OS.

But good luck finding this kind of solution for a price you can stomach.  Maybe an AV company will build this up but if the past is any indication it will come with 100 megs of useless legacy crap installed with it.  So far it seems that freeware solutions steer clear of this type of app maybe due to patents in the area or simply because it's dangerous to restore anything to a computer and thereby risk the legal repercussions of not getting it perfect.

What does the business do?

Business will have to turn to multi-engine AV systems and to anomaly detection systems like Fire Eye, Tripwire, Splunk to catch hacks after the fact.  You can roll your own tools, write Snort rules, block massive lists of IP addresses. I believe the industry is coming to a tipping point where lower costs tools are needed.  I enjoy writing my own, but most companies don't have the people with the skills to take a day or two on a new tool.  Also, pet projects can take on a life of their own as their capabilities need to expand to support additional systems and log types.  I recently wrote a sniffer and a log analysis system that feeds into SQL Server (with full text search).   A few stored procs shape the data into useful intel but parsing new and varied types of logs becomes a pain point and Splunk starts looking better if you have a wide variety of input.  These are the kinds of decisions you'll find yourself dealing with more and more as the attackers continue to outpace the defenders.

I'll talk more about how to deal with this tipping point shortly as a reset is needed to tip the scales back in the favor of defense.