Seriously? Are We Still Doing this Crap? (RANT MODE = 1)
These days I’m giving a DBIR presentation that highlights the fact that SQLi is 10 years old, and yet is still one of the favorite vectors for data breaches.
And while CISO’s love it when I bring this fact up in front of their dev. teams, in all deference to software developers and any ignorance of secure coding, we (the security industry) are just as guilty of equal (and perhaps equally damaging) stupidity.
Take as an example, this computerworld article. Please.
Ostensibly, this article is about “Six Enterprise Security Leaks You Should Plug Right Now“. Now when I see “Six Enterprise Security Leaks You Should Plug Right Now” I think – wow, these are going to be the most common and serious causes of data breaches and security incidents. Pull the emergency rip chord, scramble the F-5’s for interception and send launch codes to the subs. This is going to be proven attack vectors and techniques enumerated in a no-BS manner for the CIO.
Unfortunately, this is a great piece of circa 1999 FUD horseshit.
First example: The Bluetooth Gun
Things I think when I see this pic:
- 55% “Compensating for something?”
- 33% “Because pointing a 4.5 foot gun at someone is COMPLETELY inconspicuous!”
- 12% “It’s not just Bluetooth, it shoots PSYCHIC BULLETS!!!!!!1!1”
Like really? Bluetooth rifles? In all fairness, this first “panic and plug” piece of the article is ostensibly about “smartphone security”. And I guess RSnake is giving fine advice. But really, trying to tell execs that they can’t have an iPhone because there’s some corn-fed, hand-spanked Insane Clown Posse fan with a “bluetooth rifle” might “steal their address book” is going to make you look like, well, and insane clown.
Hilarious, of course, is the recommendation that organizations give company sanctioned “robust” platforms like Android. Because when I think “robust”, time-tested, and controlled platform for development and enterprise adoption, I think “Android” (not a knock on Android per se, fans of the platform, no. But seriously, you have to acknowledge that it’s pretty much still a “newer” smartphone platform and not exactly one under the control of Google in terms of quality to market).
Second is “Open Ports on a Network Printer.” Really.
I’m gonna be frank and honest with you, dear reader. My PenTest experience is about 5 years out of date, but I’m willing to bet that things haven’t changed that much and I can still say with all certainty and seriousness that if your internal security is tight enough that you have to worry about “open ports on networked printers” you’re already in the 98th percentile of capable security organizations. Take a break, pat yourself on the back, have an octoberfest something, and then tomorrow you can worry about something like solving Log Management issues. Forget “network printers”.
“One of the reasons you do not hear about it is because there is no effective way to shut them down,” says Jay Valentine, a security expert.
“Another one of the reasons you do not hear about them is because in terms of security issues within the network perimeter, printers are about as important as, say, the possibility that some mentally unstable SEO/ Web analytics employee has a 4.5 foot bluetooth gun in his cube and is using it to capture screen shots of your CFO playing Angry Birds on her iPad, posting them to Facebook, Yahoo Forums, and otherwise embarrassing the CFO’s 14 year old son because his Mom plays Angry Birds at work.” – Alex Hutton, not an expert at anything
Custom-developed Web apps with bad code is, actually, at least according to the DBIR, something to worry about. I’ll limit the snakiness on this one, they got it right.
Next is something I really have an issue with. They label it “Social Network Spoofing” and I have to ask – is this an enterprise “leak” that IT can “plug”?
I mean, RSnake’s example is a phone based social attack where someone impersonates monster.com. And phone attacks do make up something like 21% of Social attacks in the DBIR data set. That’s fine. But we’re dealing with a phone based attack, here. Not something having to do with Facebook. And really, after the whole stupidity and non-story of Robin Sage – is it a good idea to even bring this up? We can add to the craziness the fact that there isn’t a lot of evidence for this attack vector and the remediation that enterprises should take, and most confoundingly (yes, it’s a Yosemite Sam word, deal with it), according to this article, is “email verification that confirm the identity of the sender”. Yeah. Because that shit’s ubiquitous. What you really want is to limit your users ability to interact with customers, vendors, and other business silos because they don’t use compatible “email verification” platforms.
Look, I know awareness programs are much maligned. And I’m completely aware that most of them suck it. But really, there’s no way that you’re going to combat phone based scams with technology. It’s called SOCIAL ENGINEERING for a reason. You’re not manipulating systems, you’re manipulating people. This may be a leaky hole or something (proportionately, it’s not, really if you take data breach stats with any seriousness) but the remediation is, well, strange. In my social engineering experience, I’ve gotten tons of information without using email as a vector as a follow up from a phone call.
Employees Downloading Illegal Movies and Music
Winn Shwartau is right, there’s no reason that folks should be putting this crap on work boxes, and P2P is a filth pit of code.
But I’m looking in the DLDB/Verizon/USSS data sets and you know what? I’m finding a lot more basic crap people need to worry about in terms of both frequency and impact. P2P is bad, get marimba or something and keep that crap off user endpoints, sure. But P2P just doesn’t seem to be a top 6 enterprise leaky whole thingy stop the world and panic write a computerworld article about it.
Finally, we have SMS text messaging spoofs and malware infections.
You know how often SMS text messaging is a vector in the data sets I’ve seen? really? zero. none. I’ve never seen any incident of any magnitude be more than a “proof-of-concept work” (schwartau’s words, not mine).
Seriously, folks. Look at hacking and malware paths in the DBIR. And be very, very concerned about SQLi and other remote access. Draw on bot net stats from the Microsoft SIR and be wholly uncomfortable with the complexity and size of your network. Read the Visible Ops for Security book (now on Kindle!) and understand how far from process maturity your IT and IT security processes are and weep accordingly. Sort through DLDB and be afraid at what evil lurks in the laptops of end users. There are real problems with the state of corporate IT Security.
But SMS text messages, getting “business intelligence” (these words you use, I don’t think they mean what you’re thinking) or SMS text messages installing mobile malcode? Not one of the big problems. not even close. Hell, I’d love for the industry to be in such a secure state that malcode installed by SMS *is* a big “enterprise leak thing” to panic and plug. Same with Network Printers. But right now, every ounce of data says that going to “your carrier and work with them to make sure that they’re using malware blocking software” is not only a complete waste of energy, but it’s basically bat-shit insane.
They’re coming to take your cell phones away, haha
What bothers me most about this article is that two people I esteem, RSnake and Winn, are feeding the FUD. Focusing on the possible (seriously, that bluetooth gun pic cracks me up everytime I see it) and ignoring what’s actually causing breaches for the sake of media sensationalism is a complete FAIL.
Let’s see if our own FUD makes the Defcon FAIL panel this year.
Sorry for the Nick Cage with crazy eyes.