Humor: Pentest Storytelling

From Bruce Schneier’s blog an unverified story about breaking into banks and then asking them to pay for consulting. Warning, this is generally considered illegal (due to lack of formal pre-authorization) and could easily lead to arrest.

Spoiler alert: Women are characterized as emotional, unstable and irrational. Men are characterized as cool under pressure and smooth. So the story is clearly embellished from a particular bias.

Also strange is how the story starts out bold on technology attacks, to a point of being unsatisfactorily vague and boastful (I expected him next to say he also was in the special forces and has traveled to Mars), but then shifts into a physical assessment description that is laden with pre-authorization, deniability and constant worry to prove their innocence.

FedRAMP Launched with Memo to CIOs

The recently appointed Federal Chief Information Officer, Steven VanRoekel, serving the U.S. Office of the President, has formally launched FedRAMP with a memorandum issued today called “Security Authorization of Information Systems in Cloud Computing Environments” (PDF).

Note the use of “shall”:

d. Each Executive department or agency shall:

i. Use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services;

ii. Use the FedRAMP PMO process and the JAB-approved FedRAMP security authorization requirements as a baseline when initiating, reviewing, granting and revoking security authorizations for cloud services; (For all currently implemented cloud services or those services currently in the acquisition process prior to FedRAMP being declared operational, security authorizations must meet the FedRAMP security authorization requirement within 2 years of FedRAMP being declared operational.)

iii. Ensure applicable contracts appropriately require CSPs to comply with FedRAMP security authorization requirements;

iv. Establish and implement an incident response and mitigation capability for security and privacy incidents for cloud services in accordance with DHS guidance;

v. Ensure that acquisition requirements address maintaining FedRAMP security authorization requirements and that relevant contract provisions related to contractor reviews and inspections are included for CSPs;

vi. Consistent with DHS guidance, require that CSPs route their traffic such that the service meets the requirements of the Trusted Internet Connection (TIC) program; and

vii. Provide to the Federal Chief Information Officer (CIO) annually on April 30, a certification in writing from the Executive department or agency CIO and Chief Financial Officer, a listing of all cloud services that an agency determines cannot meet the FedRAMP security authorization requirements with appropriate rationale and proposed resolutions.

FedRAMP has a different definition of security than the standard NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems and Organizations. It also differs from the Consensus Audit Guidelines (CAG), which I explained in detail recently at the ISACA-SF conference: “Risks and Controls in Cloud Computing”, and also last June on the Focus Roundtable Podcast: “FISMA Clouds in 2011: Fact or Fiction?”. For example, look at NIST SP 800-53 moderate requirements for Configuration Management – Baseline Configuration:

Moderate Control 800-53R3 CAG v2.3 FedRAMP
Baseline Configuration CM-2(1)(3)(4) CM-2(1)(2)(4)(5) CM-2(1)(3)(5)

 

Risk Assessment – Vulnerability Scanning is another good example

Moderate Control 800-53R3 CAG v2.3 FedRAMP
Vulnerability Scanning RA-5(1) RA-5(a)(b)(1)(2)(4)(5)(6)(9) RA-5(1)(2)(3)(6)(9)

 

I mapped all 170 or so controls because I found many unaware of the deltas. I’m still using CAG 2.3 but 3.0 was released a couple months ago. The theory, of course, is that the list of controls selected for FedRAMP is based on a risk model/assessment specific to cloud. The memo basically applies to all things cloud in the U.S. Federal space.

This memorandum is applicable to:

a. Executive departments and agencies procuring commercial and non-commercial cloud services that are provided by information systems that support the operations and assets of the departments and agencies, including systems provided or managed by other departments or agencies, contractors, or other sources;

b. All cloud deployment models (e.g., Public Clouds, Community Clouds, Private Clouds, Hybrid Clouds) as defined by NIST; and

c. All cloud service models (e.g., Infrastructure as a Service, Platform as a Service, Software as a Service) as defined by NIST.

And it gives four deadlines:

  • 30 days – CIO Council will publish the FedRAMP security controls derived from NIST SP 800-53
  • 60 days – concept of operations (CONOPS) will be published
  • 90 days – security experts appointed from the DHS, DOD, and GSA will publish a charter with governance model
  • 180 days – FedRAMP PMO will provide FedRAMP operational capability

It looks to me as though “currently implemented cloud services or those services currently in the acquisition process” are being granted two and a half years before they shall use FedRAMP as described in this memo. In other words, Federal agencies have 180 days to start acquiring cloud services (to qualify for the two year exception) or cloud services acquired after June 2012 shall use FedRAMP.

Children’s Cereals Fail Nutrition Test

The SugarEnvironmental Working Group reviewed nearly 100 cereals and found many that are more than 50% sugar by weight (more than cakes and cookies) but are still marketed as children’s food.

A one-cup serving of [Kellog’s] Honey Smacks packs more sugar than a Hostess Twinkie…

Most children’s cereals fail to meet the federal government’s proposed voluntary guidelines for foods nutritious enough to be marketed to children. Sugar is the top problem, but many also contain too much sodium or fat or not enough whole grain.

Full report (PDF)

Apparently not much has changed since 2008 when Consumer Reports reported basically the same thing; Kellog’s Honey Smacks had more sugar than donuts.

Are you one of those adults who keep a box of Frosted Flakes or Froot Loops hidden in the cupboard? Such sugary cereals are heavily marketed to children, to the tune of about $229 million advertising dollars per year. But an estimated 58 percent of “children’s” cereals are consumed by the over-18 crowd.

[…]

The bad news is that 23 of the top 27 cereals marketed to children rated only Good or Fair for nutrition. There is at least as much sugar in a serving of Kellogg’s Honey Smacks and 10 other rated cereals as there is in a glazed doughnut from Dunkin’ Donuts.

Podcast: Virtualization Practice on PCI and Mixed-Mode

The Virtualization Practice has posted a podcast with me on PCI compliance in virtual environments

On 10/6 was held the Virtualization Security Podcast featuring Davi Ottenheimer in his role as a QSA. Davi holds down many roles working with companies such as VMware, yet he maintains his QSA credentials and applies his knowledge of PCI Compliance. In this podcast we ask the question, is a virtual environment always mixed-mode and what to do if your QSA does not have the knowledge required to do the job?

The host has tried to be as provocative as ever by offering a follow-up statement with an absolute position:

I believe any hypervisor based PCI workload is always mixed mode regardless of the type of VMs

Naming names, BOF and the Chinese APT

One of the great legacies of Roman Emperor Justinian the Great (527 to 565) was a uniform revision of law. It has remained the basis of civil law in many parts of the world. In his Byzantine IUSTINIANI DIGESTA of the year 533, for example, it was written:

22.3.2

Paulus libro 69 ad edictum

Ei incumbit probatio qui dicit, non qui negat.

My Latin is a little rusty. Yet I am fairly certain that translates to a man named Paulus (Julius Paulus Prudentissimus, the most quoted Roman jurist in the Digest) saying the following:

Burden of proof (incumbit probatio) is on he who asserts (qui dicit), not on he who denies (qui negat)

Naming names

That old rule of law was the first thing that came to mind when I read the screeching opinion from CSO Publisher Bob Bragdon on “Naming names in APT

Let’s call a spade a spade: China is the greatest threat to international cyber­security on the planet.

I’m tired of pussyfooting around this issue the way that I, and many others in security, industry and government have been for years. We talk about the “threat from Asia,” the attacks perpetrated by “a certain eastern country with a red flag,” network snooping by our “friends across the Pacific.” I swear, this is like reading a Harry Potter book with my daughter. “He-Who-Must-Not-Be-Named” just attacked our networks.

Let me be absolutely, crystal clear here. In this scenario, China is Voldemort. Clear enough?

Crystal clear? Spade a spade? China is Voldemort? This article must be tongue-in-cheek because it is so obviously self-contradictory it can’t possibly be serious.

The author then offers us an example from a report by NPR. It names China as one of two great threats to business information in the U.S.:

The report is explicit: “Chinese actors are the world’s most active and persistent perpetrators of economic espionage,” it concluded, while “Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.”

The author’s example in the article thus contradicts his complaint about naming names. The fact is China has been explicitly named in security reports for a long time, as I have written about before. Here is what I found in just a few seconds of searching:

So naming names is hardly a problem for “many others in security, industry and government” and should be set aside. China is obviously getting named both officially, unofficially and even when there is only suspicion.

Burden of proof

What if we accept the author’s argument, setting aside the naming names complaint, that “China is Voldemort”? Now we face a problem of proof.

I’m not talking about proof that China meets the Dictionary definition of Voldemort. I mean why doesn’t the author drop in a couple examples to show that China, even under any other name, is the “greatest threat to international cybersecurity on the planet”. Incidentally, I have to wonder what is the greatest threat off the planet but I’ll leave that alone for now.

Let’s look again at the one example provided.

The report is explicit: “Chinese actors are the world’s most active and persistent perpetrators of economic espionage,” it concluded, while “Russia’s intelligence services are conducting a range of activities to collect economic information and technology from U.S. targets.”

This report fails to say that China is the greatest threat to international cybersecurity. Is China a threat to U.S. economic interests? Obviously, as mentioned in CSO before in an article on “Byzantine Hades” (coincidental name, no?). There are many, many examples. One of the economic and social conflict areas between China and the U.S. most interesting to me is the Sudan, as I have written about before. Does anyone think it is a coincidence that the successful American effort to split a country in Africa into separate nations with a clear border was led by a U.S. General?

I see border dispute, tension, and conflict as a very tangible and long-standing indicator of threat. Take as another example the 2009 prediction in the Indian Defense Review.

China will launch an attack on India before 2012.

There are multiple reasons for a desperate Beijing to teach India the final lesson, thereby ensuring Chinese supremacy in Asia in this century. The recession that shut the Chinese exports shop is creating an unprecedented internal social unrest. In turn, the vice-like grip of the communists over the society stands severely threatened.

The arguments made were interesting because they actually went so far as to try and prove the foundation of Chinese aggression and thereby predict an escalation. Even more interesting was the response and attempt to disprove the arguments for aggression, as illustrated by an article in ChinaStakes.

Mr Verma’s reasoning rests on a lack of documentation. Looking into the past 60 years, China has no record of launching a war to divert public attention from anything. Moreover, while Mr. Verma supposes the Chinese Communist Party has no cards to play other than “invading India,” the Party, widely experienced in dealing with domestic disputes, will hardly in only three years have run out of all options facing potential social instability. Moreover, even if Chinese leaders considered such an option, they would certainly be aware that an external war would severely jeopardize domestic affairs.

After review of those two sides of the argument I neither believe that China will invade India before 2012 (easy to say now) nor that a lack of a record launching attacks prevents China from changing policy and taking a more aggressive stance. And while I discount both I find myself reviewing the arguments and contemplating a third option.

What if 60 years of American past is what China is actively studying to weigh strategic options? What if they are drawing lessons from the American long-range missile pre-emptive strike doctrine as well as the deterrence doctrine? I have no doubts that there are hawks in the Chinese government studying a history of similarly hawkish plans abroad and trying to find a best-fit for their own country. Whether they can achieve a fit or even emulate/fake one is another story.

Now I’m off talking about awesomely scary missile and invasion conspiracy theories. How did I get here? Oh, right, the Chinese get blamed in name. At least in border disputes, strike plans and missile-tests, there is an effort to provide evidence by authors to prove their point. Before I get too far into reality, let’s pull back to the the CSO article.

The author offers the reader nothing even remotely resembling an argument and thus ends up just name-calling in an article against name-calling. Greatest threat to cybersecurity on the planet? Let’s see some evidence or at least an argument to back that up. I’m not asking for predictions, just something Paulus might have approved — something that we can actually argue for or against.

Quoted in Inc.

A writer for IncInc. has quoted me in an article called “New Ways to Keep Hackers Out of Your Business

While you might think of encryption as something we’ve been using only since the advent of computers, it’s really a rather old practice. “Encryption is based upon a secret,” says Davi Ottenheimer, expert on the Focus network and founder of San Francisco-based security consulting firm flyingpenguin, who likes to cite Julius Caesar and Thomas Jefferson as examples of historical figures who have hidden things by using cryptography.

Caesar used a substitution cipher to communicate with his generals that involved replacing the letters in a message with a shifted alphabet. For instance, a shift of three would make all the As in message Ds; Bs would become Es, and so forth.

Jefferson used a type of wheel cipher during the Revolutionary War that involved 36 disks stacked on an axle, each with a different version of a scrambled alphabet on the outer edge. When both the sender and receiver had the numbered disks in the same order and rotated them in the right way, an understandable message would appear.

“People have historically improved encryption during times of conflict or war,” Ottenheimer says. “It’s all about secrecy, really, confidentiality. It doesn’t require super-sophisticated technology as much as it requires people being fairly intelligent about how they can keep a secret.”

VMware vCloud Connector 1.5 Certificate Installation

Chris Colotti offers a vCloud Connector 1.5 guide that highlights security

Security – It is important to understand the security of these components. The Server and Nodes communicate over SSL using port 8443 and this is the port used my the online portal to connect to your server. So it stands to reason you will want to generate some real certificates at least for your vCloud Connector server since that will be connected to be the remote nodes as well as the portal. The local nodes may not be as big a concern since they are on the same network. However you can see below, that if you are transferring a workload from a private cloud to the public the two nodes will interface and then you have an argument for some real certificates on all nodes as well. Generally in a production deployment I would get all real certificates, but in my lab I decided not to.

vCC architecture

It is great to see this called out but I strongly recommend installing certificates in all deployments (and restriction to communication only over port 8443). In addition, certificate warnings should never be ignored once a new system is configured, as I explained in my presentation at VMworld — Penetration Testing the Cloud.

Vendor (i.e. VMware) default certificates should always be replaced. They do not have to be “commercial CA” certificates. You also can create your own signing certificate offline and use it to sign certificates that you generate. Many do-it-yourself options are available, as long as you carefully protect the signing certificate’s key. Microsoft’s public CA is common in Windows environments. Note that even a hardware security module (HSM) appliance is not very expensive and you of course can still use OpenSSL.

It not only is necessary to use certificates to protect authentication for all your critical systems connected to the network but it also a PCI DSS v2 Requirement.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.

Requirement 2.1 gives a very broad statement that clearly is not limited to production use.

Always change vendor-supplied defaults before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.

The VMware product guide for vCC (Installation and Configuration – vCloud Connector 1.5.0) has steps to replace certificates. Note the first sentence mentions production use again. Also note the passwords:

If you have not yet replaced the self-signed certificates in your vCC Server and vCC Nodes, you need to do so before production use.

Procedure

1. Log in to the admin Web console for each vCC instance in which you are going to replace the certificate.

2. For vCC Server, click on the Server tab, SSL button. For vCC Node, click on the Node tab, SSL button.

3. Generate and download a Certificate Signing Request by clicking Generate and Download CSR.

Depending on your certificate authority, you might need to create a new private key before you download the CSR. Contact your CA for more information.

a. If you need to create a new private key, log in to the console of the Server (hcserver) or Node (hcagent) as root. The default password is vmware.

b. At the prompt, change directory to /usr/local/tcserver/springsource-tc-server-standard/server or agent/conf.

c. Delete the existing private key.

/usr/java/jre-vmware/bin/keytool -delete -alias hcserver or
hcagent -keystore tcserver.jks -storepass changeme

d. Create a new private key.

/usr/java/jre-vmware/bin/keytool -genkey -keyalg RSA -keysize 2048 -alias hcserver or
hcagent -validity 1095 -keystore tcserver.jks -storepass changeme -keypass changeme

e. Log in to the Server Web admin console and download the CSR as described in Step 1 above.

4. When you have your certificates, upload the root or intermediate certificate from your CA and the new X.509 certificate for your instance by using the two Browse buttons.

5. Locate the certificates on your local machine and then click Upload.

What to do next

Once you have installed the valid certificates, deselect the Ignore SSL Certificate flag in the Node registration window for each Node. See “Register vCloud Connector Nodes with vCloud Connector Server,” on page 32 for more information on this flag. For the change to take effect, you must restart the Server.

Phone Porting to Bypass 2-Factor Authentication

More and more authentication systems are using SMS messages to verify the identity of users. Google, for example, offers you the option to send a PIN code to your phone when you login. This provides the second of two “factors” of authentication — something you have (the phone, with a one-time password) as well as something you know (your usual password).

IT News in Australia has a story that describes a real-world case of how this is bypassed by attackers.

The service providers generally require public forms of information before they will let you access your account — company name with tax ID and a mobile phone number with user name. This means only one-factor authentication (ironic, no?), based on easy-to-find information, is all that an attacker needed to initiate a port request (reassign a phone number to a new provider).

Back to the story, two separate social engineering calls were used to gather the information necessary according to IT News. Both calls were answered by someone other than the target individual.

In the days leading up to the fraud being committed, he had received two strange phone calls. One came through to his office two-to-three days earlier, claiming to be a representative of the Australian Tax Office, asking if he worked at the company. Another went through to his home number when he was at work. The caller claimed to be a client seeking his mobile phone number for an urgent job; his daughter gave out the number without hesitation.

Now with the information needed to execute the redirection the attackers also created camouflage to anticipate any alarm during service interruptions caused by a phone port.

The fraudsters used this information to make a call to Craig’s mobile phone provider, Vodafone Australia, asking for his phone number to be “ported” to a new device.

As the port request was processed, the criminals sent an SMS to Craig purporting to be from Vodafone. The message said that Vodafone was experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours. This bought the criminals time to commit the fraud.

Within 30 minutes of the port being completed, and with a verification code in hand, the attackers were spending the $45,000 at an electronics retailer.

The anti-fraud system then kicked-in. Other systems may not have anti-fraud controls as a backup (may lack defense in depth) or attackers may be able to spend below the radar and avoid alarms. Either way this real-world porting attack is a good example of how authentication has to be assessed holistically; transfer, reset and other account management options are often a weak link.

German Cloud Provider receives Trusted Cloud Certification

The first company to meet the TÃœV Trust IT requirements has been announcedTUV:

Die Kunden sind vollständig voneinander getrennt und können die Produkte je nach Bedarf skalieren, um flexibel auf ihr Business reagieren zu können. Zusätzlich werden umfassende Zutrittskontrollen zu den Gebäuden des Unternehmens, Datenzugriffskontrollen und regelmäßige Stresstests der Infrastruktur sowie eine systematische Notfallplanung durchgeführt. Besonders hervorzuheben ist, dass die Host Europe GmbH die Daten ohne Ausnahme in eigenen deutschen Rechenzentren unterbringt und somit die deutschen Datenschutzbestimmungen und Gesetze gelten.

Here’s my translation:

The customers are completely separated and the platform can scale as needed to flexibly respond to demand. In addition, the company has extensive access controls for the buildings, data access control and regular stress testing of the infrastructure as well as systematic contingency planning. Most noteworthy is that Host Europe GmbH cloud solutions are located only in German data centers and thus accommodate German data protection regulations and laws.

the poetry of information security