Apple New Product Security

Apparently impersonating police officers, searching homes without a warrant, and threatening immigrants has not worked very well for the giant media/technology company:

Calderón told us that six badge-wearing visitors came to his home in July to inquire about the phone. Calderón said none of them acknowledged being employed by Apple, and one of them offered him $300, and a promise that the owner of the phone would not press charges, if he would return the device.

The visitors also allegedly threatened him and his family, asking questions about their immigration status. “One of the officers is like, ‘Is everyone in this house an American citizen?’ They said we were all going to get into trouble,” Calderón said.

One of the officers left a phone number with him, which SF Weekly traced to Anthony Colon, an [ex San Jose police officer and] investigator employed at Apple, who declined to comment when we reached him.

Apple must have finally tasted some of the pickle they are in or maybe it’s just a coincidence that they now are hiring a security manager to oversee new products. Note the tone of the qualifications in the “proven record” of their “ideal candidate”.

Simultaneously working with multiple constituencies, balancing disparate priorities, problem solving in high-demand situations, defining and establishing attainable measures of success, and regularly achieving positive outcomes in large-scale business environments.

Translation: You will be responsible for convincing others who probably do not even get along with each other, and who see you as an impediment to their success, to follow what you say. Also known as experience marketing a very low bar as success because advocating too high a bar would just make everyone align even more against security.

Accurately assessing physical and logical security implementations and making actionable risk management recommendations that consider impact on corporate culture, business operations, system architectures, manufacturing processes, and employee workflows.

Translation: Experience not getting in they way; knowledge of how to let the business make the final decision on the amount of risk they will run while leaving the responsibility of risk (e.g. your reputation as a security “manager”) on you.

Formulating, and successfully implementing, a variety of security technologies utilizing industry-recommended practices and/or risk frameworks.

Translation: Experience buying and implementing security controls three or four years after they already should have been in place.

Looks like an excellent opportunity and a much-needed role. The question is how effective it can be if they are constantly emphasizing in the job spec that they want someone who will not push them too much too soon. Apple could see a significant turnaround if they find the right person, but a manager-level role could be argued as too little too late to alter course from where they appear to be headed.

It reminds me of the patient who will only work with a doctor under certain conditions. The patient, for example, might accept advice but disallow being told what to do and forbid any intervention, even to save their life. The medical profession seems to call this the “difficult” patient problem.

Doctors report that about one in six patients is “difficult.” […] The data suggest that some doctors may simply have a shorter fuse when it comes to dealing with a challenging patient. The researchers noted that older, more experienced practitioners are likely better at dealing with unhappy patients and may be less likely to view patient visits as difficult, even when they’re not perfect. […] An editorial suggested…doctors need better training to cope with the psychological challenges of caring for patients…doctors are advised to rise to the challenge of working with a difficult patient.

Who will rise to the challenge of working with Apple?

Wiener against bare bottoms in SF

This story can’t be real. It sounds like, at least for Mr. Wiener, the issue with being naked is about safety

Public nudity, he explains, is legal in San Francisco and in recent years a group known informally as Naked Guys have shown unbridled enthusiasm for appearing in the nude.

“I see it pretty regularly, and unfortunately there are nudists who are not doing what they should,” Wiener told Reuters.

The nudists, who expose themselves most often in the city’s famous gay neighborhood, the Castro District, have got Wiener and others worrying about public health.

“I’m not a health expert, but I believe sitting nude in a public place is not sanitary,” he said. “Would you want to sit on a seat where someone had been sitting naked? I think most people would say, ‘No.'”

Wiener, who represents the Castro neighborhood, said he hears from merchants who fear the public displays may drive away customers, hurting the business’ bottom lines.

The argument that public displays in the Castro will drive away customers is like saying Disney should get rid of Mickey because some people are afraid of mice. Wiener must realize at least a little that “displays” are why the “famous gay neighborhood” has so many customers.

So let’s look instead at his argument on safety. Business is booming in other neighborhoods where safety is a very serious problem. I’m talking about three homicides in the Mission in just one week, including a cook. The last one was a block from the police station. And if Weiner is really worried just about seat cleanliness then maybe he should instead focus his worry on BART upholstery since it clearly brings many more dirty bottoms into the Castro:

Fecal and skin-borne bacteria resistant to antibiotics were found in a seat on a train headed from Daly City to Dublin/Pleasanton. Further testing on the skin-borne bacteria showed characteristics of methicillin-resistant staphylococcus aureus, or MRSA, the drug-resistant bacterium that causes potentially lethal infections, although Franklin cautioned that the MRSA findings were preliminary.

High concentrations of at least nine bacteria strains and several types of mold were found on the seat. Even after Franklin cleaned the cushion with an alcohol wipe, potentially harmful bacteria were found growing in the fabric.

If only they could get rid of that disgusting fabric…

dirty bart

California SB 24 to replace SB 1386

A new bill just signed into law, to take effect on the first day of 2012, aims to improve breach reporting data by replacing SB 1386:

Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.
In addition, SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians. This requirement will “give law enforcement the ability to see the big picture and better understand the patterns and practices of identity theft statewide,” [State Sen. Joe] Simitian explained.

The new Governor, Brown, clearly does not harbor the same concerns as his predecessor.

Schwarzenegger vetoed multiple similar bills, including one last year. Here is how in a letter he stated his objections:

This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices.

I have to say I disagree. A repository of information leads to tangible benefits to consumers by enhancing our awareness and understanding of vulnerabilities and threats. A standardized repository of information leads to even more tangible benefits. It could even be argued the biggest improvements to privacy have come as a result of analysis of the breaches, not from the fines. Then again, since I regularly do analysis of breach data but I do not collect money for fines, I might be biased.

The interesting twist to this story is that Schwarzenegger apparently had no issue with the laws put on his desk to collect breach data related to medical information. After his wife’s data was compromised in the infamous UCLA case of 2008 he signed into law AB 211 and SB 541.

Monday’s report was the fifth by the public health agency following articles in The Times this year about UCLA employees’ prying into the records of celebrities and prominent patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.

Schwarzenegger then established a repository of breaches at the Department of Public Health (Health & Safety Code section 1280.15) a full year before he announced a lack of consumer benefit from a repository of breaches.

(b) (1) A clinic, health facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.

The big difference to him seems to have been the presence of fines in the text — penalties to make collecting breach data worthwhile. Now that he is out of office SB 24 has passed without any mention of fines. In that sense it is very unlike the text of Health & Safety Code section 1280.15.

The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed. […] Upon appropriation by the Legislature, moneys in the account shall be expended for internal quality improvement activities in the Licensing and Certification Program

California led the country when it passed SB 1386 and changed the landscape of consumer privacy protection. Now it trails more than a dozen other states that already have passed breach laws like SB 24. And while it is not clear that a breach law is any more effective with a fine in its text, a central repository of breach data in standardized format to me has very obvious benefits to consumer privacy.

If Hemingway wrote code…

  • All things truly insecure start from innocence
  • A man’s got to take a lot of punishment to write really good code
  • If a developer knows enough about what he is coding, he may omit things that he knows. The dignity of movement of an iceberg is due to only one ninth of it being above water.
  • There is no rule on how to code. Sometimes it comes easily and perfectly; sometimes it’s like drilling rock and then blasting it out with charges.
  • I don’t like to code like God. It is only because you never do it, though, that the critics think you can’t do it.
  • The best way to find out if you can trust something is to trust it.
  • The world breaks all code, and afterward, some is strong at the broken places

hemingway at work

Another AC45 crash due to ‘limit’ test

Some skippers of the AC45 that crash say it’s bound to happen because they are aggressive at the wrong moment

When you sail in such an aggressive way you are bound to hit some small bumps along the road that leads to the America’s Cup in San Francisco. Now we know when to push hard and when to sail in a more conservative way. Today’s incident is a very valuable lesson.

The best catamaran sailors keep calm and under control while pushing the boat faster; they feel the absolute limits because their senses are still in touch with a feedback loop and they can control their aggression.

The DigiNotar effect

On September 3rd at 18:52 the Microsoft Security Response twitter account sent out this notice:

We’re in the process of moving all DigiNotar CAs to the Untrusted Root Store which will deny access to any website using DigiNotar CAs

This was four days after they had sent out a security advisory on SSL fraud linked to DigiNotar.

Mozilla’s first announcement was a day before Microsoft’s and was followed up with a bulletin that said all confidence was lost in DigiNotar’s security management.

Mozilla has a strong history of working with CAs to address shared technical challenges, as well as responding to and containing breaches when they do arise. In an incident earlier this year we worked with Comodo to block a set of mis-issued certificates that were detected, contained, and reported to us immediately. In DigiNotar’s case, by contrast, we have no confidence that the problem had been contained. Furthermore, their failure to notify leaves us deeply concerned about our ability to protect our users from future breaches.

This must come as welcome news to those who use Mozilla and Microsoft products. The security teams at these companies are responding to an authority’s poor security management practices by removing their trust of that authority.

Mozilla even has a convenient page for manual deletion of the DigiNotar CA certificate if you want to take care of it sooner or confirm their update has worked.

DigiNotar Distrust

These two companies are moving quickly while other major brands seem to be silent. I guess if I owned anything made by Apple I would be concerned right now and wondering why they are so quiet. I explained at the start of my HOPE presentation in 2010 that after 21 years of using Apple as my primary system I will no longer use their products. Hopefully (pun not intended) some of those attending my presentation can now see what I was talking about.

But let’s not get too distracted by the browsers. They have had a problem demonstrating trust in certificates since forever. Five years ago I remember arguing with big groups from Microsoft, Google and Yahoo! over the crisis of certificates in browsers. There was much hand-wringing over the problem of trust with numerous proposals put forward on why we should get rid of the useless lock icon and instead use things like bright green and red URLs — Extended Validation (EV) certificates. This was meant to help put confidence back in browsing but it really spoke to the fact that the certificate system was being easily circumvented. In that case it simply was from manipulating the user experience.

Now we see again the certificate system easily circumvented. We should not be shocked but rather resolved to fix the breach. This time, however, it is an “authority” of certificates that has proven itself to be useless. The problem is more complicated because a certificate authority (CA) is supposed to be worthy of the title. They should know, if anyone, the importance of taking precautions to protect their data.

Let this be an excellent time for everyone to stop and ask themselves if they have ever said “that company would go out of business if they did not have good security so I don’t need to verify”. Pilots use checklists and doctors use compliance checklists. They too would be out of business if they failed, yet even the most intelligent and sophisticated professionals in this world go through a validation program before they take risks.

So the real security issue here is in regard to the confidence in an authority to be managed properly. It is especially important to focus on the response to an incident. It is not that the certificate system has been broken (have you ever seen or heard of a forged drivers license) but how companies respond to the discovery of a flaw in their system of authority and trust. The Fox-IT DigiNotar public report version 1 was released on September 5th and it makes DigiNotar look reckless and negligent for several reasons.

  1. Weak record keeping. DigiNotar was not maintaining a record of certificates that they issue, which is an obvious requirement to be a certificate authority.
  2. The rogue certificate found by Google was issued by the DigiNotar Public CA 2025. The serial number of the certificate was, however, not found in the CA system’s records. This leads to the conclusion that it is unknown how many certificates were issued without any record present.

  3. Weak infrastructure management. There are many examples to illustrate this point, from open wireless access to failure to notice breach traces left behind by attackers, from a flat Windows domain to webservers missing patches, from a lack of antivirus to no centralized logging…
  4. In August, DigiNotar installed a new web server. It’s fair to assume these hacker traces where copied from the previous web server install. […] A number of malicious/hacker software tools was found. These vary from commonly used tools such a the famous Cain & Abel tool to tailor made software. […] In the text [of the tailor made software] the hacker left his fingerprint: Janam Fadaye Rahbar. […] The attacker(s) had acquired the domain administrator rights. Because all CA servers were members of the same Windows domain, the attacker had administrative access to all of them. […] The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced. The software installed on the public web servers was outdated and not patched.

  5. Failure to respond and alert others to breach. There is evidence of breaches going back to 2009 that DigiNotar apparently did not investigate. This incident has the following timeline, showing a discovery on July 19th and then no response for weeks — until after the attackers had penetrated the servers and generated certificates that caused an external alert.
  6. 06-Jun-2011 Possibly first exploration by the attacker(s)
    17-Jun-2011 Servers in the DMZ in control of the attacker(s)
    19-Jun-2011 Incident detected by DigiNotar by daily audit procedure
    10-Jul-2011 The first succeeded rogue certificate (*
    22-Jul-2011 Start investigation by IT-security firm (not confirmed)
    29-Aug-2011 GOVCERT.NL is notified by CERT-BUND

The pig in the grass house just had it blown down. I do not see yet that we should be looking at an urgent and complete overhaul of the entire certificate system. That would be a great long-term goal of course but it is not yet justified, based on this breach of embarrassingly weak defenses. We should instead be taking a better look at how companies manage and sell elements of PKI, as I wrote about recently.

Over the next weeks and months other CA companies will be out to validate or build up their brick house and prove (through compliance assessments) that they know how to be a responsible authority. I think there are still CAs around that can do it, not least of all because we know the mistakes made by DigitNotar. The focus will be to find management failures to follow even basic and well-known security practices. The sophistication of the threat is not nearly as interesting or daunting as DigiNotar’s lack of response and a lack of awareness. We should not forget that we are talking about a company whose business depended on good security, like a restaurant depends on a clean kitchen, and yet….

On that notion, I wonder when Apple will wake from its slumber to issue a response.

Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it’s been issued by a certificate authority marked as untrusted in Keychain.

“When Apple thinks you’re looking at an EV Cert, they check things differently,” Sleevi said in an interview Wednesday. “They override some of your settings and completely disregard them.”

Designed as a way to reassure Web surfers that they’re not being phished, Extended Validation Certificates turn the browser address bar green.

It sounds to me like the Apple fix for user experience trust issues with certificates (adding EV support) now limits their ability to handle trust issues with certificate authorities. Perhaps they did not realize that by working to resolve one trust issue that there would be future trust issues ahead? Did they think attackers would sit still? That seems rather ironic. If their EV design turns out to be the problem it just adds fuel to the fire in my belly about the direction at Apple. Consumers will be best served by companies that have the following attributes in their incident management:

  • Fast response
  • Transparency and admission of facts
  • Fixes that acknowledge lessons learned and show process of improvement

This DigiNotar breach thus offers a global litmus to measure our current products, contracts and services. Who should we trust and have they responded yet?

Update: I should have also mentioned that this is a shot across the bow of large cloud providers. They rely more on the certificate authority model because it is a highly efficient way to establish (a certain level of) trust for millions of users. The smaller providers and traditional IT organizations have an advantage in that they can make updates to provide trust for their users far more easily and through secondary non-public channels (e.g. distribute secrets, revoke/replace certs).

Risks and Controls in Cloud Computing: 2011 SF ISACA

I will be one of three presenters on an all-day cloud audit session at the 2011 SF ISACA Conference, at the Hotel Nikko in San Francisco, CA.

Session T2: Risks and Controls in Cloud Computing
Time: 8:30am to 5:30pm
Date: Tuesday, November 8th 2011

Amazon and first will present their arguments on audit and compliance, based on the new NIST cloud audit guidance, and then I will respond with the auditor’s perspective. We will close the day with a panel moderated by PwC. It should be a fun debate. Hope to see you there.

Cloud VXLANs and segmentation

The “invisible infrastructure” of VMware cloud is a vision that emphasizes freedom from boundaries

The Virtual Distributed Switch abstracts the data center fabric and provides a sea of ports. vCloud Director (VCD) creates an Org Virtual Data Center (VDC), including allocating compute and storage resources. Tenants/orgs can now provision their own logical network to connect these resources. VCD delegates networking/security control to the vShield Manager, which in turn creates a VDS port group backed by a VXLAN, maps the tenant id to the VXLAN segment id, and connects org VMs to the respective ports in the port group. Additionally, vShield Edge provides multicast services, and maps tenant broadcasts into provider multicasts (using PIM). We now have VXLAN backed logical networks, which are elastic (add/delete vNics/ports on an as-needed basis).

With networking constraints out of the way, VDCs can now span cluster, pod and subnet boundaries, removing one of the major limitations in the data center.

I covered this in my VMworld 2011 sessions on Penetration Testing the Cloud relative to the concerns around segmentation. Risk analysis or threat maps will help refine the topic but in most cases the best security is one that does not impede the ability of the business to operate freely. The ultimate security objective, in other words, should be to create freedom from interference.

While removal of the limitations might sound scary at face value there are many ways to transparently validate segmentation and controls are still effective, even in a multi-tenant environment. I will be presenting on this again several times in the next few months, and then publishing a book early next year with a toolkit and scripts to help.

Save the Library

Once again libraries are under threat of closure. It seems strange that a place of privacy protection and learning could lose support at a time when they are more relevant than ever.

Take the Netflix model of paying a nominal monthly fee in order to check out a movie, for example. Who wants a Netflix account when they could give the same amount to their local library and get far more in return? Libraries do information dissemination without the burden of trying to make a profit for their investors, which has come to mean they don’t have any incentive to track, collect and sell your identity information. They also end up allowing people to share access to a single license but, unlike Netflix, the license is technically owned by the viewers who share access.

Even more interesting is an idea that the notion of a library, as an exchange of information for public access, could be protected by law.

The Act says a local authority which is a library authority must “provide a comprehensive and efficient library service for all persons . . . whose residence or place of work is within the library area of the authority or who are undergoing full-time education within that area”. Its stock of “books and other printed matter, and pictures, gramophone records, films and other materials”, must be “sufficient in number, range and quality to meet the general requirements and any special requirements both of adults and children”.

That sounds like the library is the school. It might seem crazy to try and legislate the quality of information until you read how Isaac Asmiov described the library in a letter to new patrons of one in Troy, Michigan:

Libararies are your best friend

An updated version is on YouTube from Piers Cawley, who wrote and performed a song called “Child of the Library” at OSCON 2011 and then received a standing ovation:

the poetry of information security