Archive for February, 2013

While we’re on the topic of attacks … awesome gadgets

Thursday, February 28th, 2013

Seems like security exploits are all the chatter these days. People tend to think of these things as anonymous, remote things, but what about if you can get (briefly) physical access to your adversary’s premises?

This would be a cool device to surreptitously plug into their AC and wall power:

elite device

Very slick. And very dangerous. Funny that nobody talks about these things … is it because only the low-tech, user-must-have-been-duped attacks are press-worthy?

Now China claims US hacks

Thursday, February 28th, 2013

Sometimes press releases are so dumb that they are funny.

Recently, the security firm Mandiant provided a detailed analysis of systematic, industrial-scale attacks against US and other private interests by a large, government-supported, well funded Chinese military agency. This was a wonderfully interesting read because it was full of evidence, analysis, clear links to a state actor as the aggressor, estimates of the scope and duration of attacks against private sector targets and more. Brilliant stuff.

Obviously, China denied the allegations (and why wouldn’t they?). Of course, none of that detracts from the detailed and convincing evidence, so clearly the Chinese feds are just engaged in mindless damage control and PR. No big deal – that’s the sort of stuff governments do.

Forceful public denials didn’t seem to convince anyone, though, so now they have a new tactic – complain that US hackers are attacking them instead. They claim 144,000 “attacks” per month against a couple of military-related web sites.

Call me crazy, but I’m dubious. First, no evidence was provided, so who knows if the number just came out of some marketing hack’s rear end or represents anything factual?

Second, what constitutes an attack? Our corporate web site is hit by thousands of script kiddie connection attempts daily, presumably hoping to take advantage of a buffer overflow or bug in some software or other, which isn’t even installed on our site. This sort of “attack” traffic is just a normal part of the web traffic for most sites. Should we consider these connections to be “attacks” or just random “probes?” If they come from compromised machines that happen to be in the US, does that mean that “the US is attacking us?” I hardly think so.

So clearly the Chinese government’s public relations hacks are behaving like children, as you would expect them to:

  • They don’t seem to know what an “attack” is.
  • They don’t seem to understand the value of “evidence.”
  • They are engaging in a transparent effort to save face, after having been caught with their hand in the cookie jar.
  • They cannot seem to differentiate between “state actors” and “IPs registereed in that jurisdiction.”
  • Of course, they have provided no evidence that Mandiant’s report is in any way untrue. Think about it — if that report was wrong, they could just march some reporters from the BBC or CNN or something into the building where the operation is purported to be taking place and show them that there are no hackers here. Easy, case closed, Mandiant would have egg on their face. What? They haven’t done that? Surprise, surprise!

The discussion above is not meant to imply, by the way, that the US military does not engage in “cyber warfare” — just that they are much more sophisticated and effective than this silly press release suggests. Think Stuxnet, not script kiddie. I’m not sure that they target China much either. Probably not enough Chinese-speaking US hackers to do that effectively. I think they are much more concerned with military and nuclear targets in Iran than Chinese commercial interests.

Watch the strength of your authentication…

Friday, February 22nd, 2013

I just heard about an organization – who shall remain nameless to save them embarassment and reduce their risk exposure – who is seriously considering doing the following:

  • Eliminate security question enrollment and authentication using security questions from their internal, corporate password reset system.
  • Instead, ask each user to enroll their personal e-mail address (i.e.,,, etc.)
  • If a user forgets their corporate AD password, send a PIN to their personal e-mail address that will then be used as the sole form of authentication.

Now maybe you’ve been living under a rock, but it seems to me that a bunch of consumer-facing web sites have been hacked in the past year or two. That means that this organization would lower the security of their corporate systems and applications to the security of public e-mail systems, which are vulnerable to phishing, keylogging attacks, DNS poisoning attacks, cookie stealing attacks, PC malware and who knows what else.

In short, no security at all.

I’m amazed that any corporation would consider such a thing.

Chinese hacks, US hacks

Thursday, February 21st, 2013

Much has been made in the past couple of days of the report put out by Mandiant which links a bunch of recent, high profile security attacks to a group of Chinese hackers that are presumably a part of the People’s Libration Army (PLA) — i.e., the Chinese military.

The report is here by the way — and it’s a very interesting read. Recommended.

Anyways, people are treating this as though it’s shocking new information. Really? You didn’t know that the Chinese state spies on foreign entities, principally corporations, to gain commercial advantage? I would think that’s well known and unsurprising.

At the same time, people treat this as though it’s only the Chinese doing it. One of the largest government agencies in the US is the National Security Agency (NSA). What do you imagine they do for a living?

More than that – we should think about the nature of cyber warfare. The Chinese, from recent experience, are really interested in just two things:

  • Criticism of their leadership, and in particular the interesting ways in which their families accumulate extreme wealth.
  • Commercial information — intellectual property, pricing information, plans for take-overs, mineral development, etc.

So what does the US focus on? It seems they’re more interested in traditional targets for spying — foreign governments and military agencies. Interestingly, the US does something in the cyber warfare space that no other government seems to do (yet?), and that is to deploy an offensive capability. Worms such as Stuxnet have been spectacularly successful at delaying Iran’s ability to refine weapons-grade uranium, and represent a capability and military policy totally unlike China’s.

So what do we take away from all this?

  • Yes, just as everybody already knew, and despite the totally non-credible denials, China’s military engages in espionage on an industrial scale.
  • China’s hacks are focused on fairly mundane stuff: IP theft, commercial intelligence and protecting the reputations of their leadership.
  • The US, in contrast, has a conventional espionage regime, targetting governments and military agencies.
  • Also unlike China, the US both possesses and has deployed an offensive cyber-warfare capability

It may only be a matter of time before other players engage in the offense or emulate China’s commercially-oriented spy tactics.

We live in interesting times.

Do you really need that second account?

Wednesday, February 20th, 2013

We do a lot of Identity Manager deployments, and the standard operating procedure (SoP) of most of our customers seems to be to provision a second, privileged account for many IT workers. The thinking here is decades old — users should sign in with their normal, unprivileged account for day-to-day work and only use their privileged account for administrative tasks. This reduces risk, because if the user in question makes a mistake while signed in with their normal account, the amount of harm that may ensue is limited.

That’s all well and good – it made perfect sense in an environment where security rights are assigned to a user persistently, without a time domain component. These days, however, we have products such as Hitachi ID Privileged Access Manager, and doubtless others. Using software in this category, it becomes possible to temporarily grant a user membership in privileged groups (e.g., Domain Administrators and the like), for just long enough to complete a task. That means that a user’s normally unprivileged account can be made privileged for a short time period. This approach has audit benefits — we can track not only who has admin rights, but when and for what purpose.

If this approach is used, going back to the notion of two accounts per user, we should ask ourselves: do IT workers such as system administrators still need that second, privileged account?

I think the answer is “no” – temporary privilege escalation is a cleaner, more transparent and easier to manage solution.

So lets stop creating these admin IDs, and instead focus on controls around and audit records of privilege escalation.

What is the defining characteristic…?

Monday, February 11th, 2013

I’ve been thinking for a while about what, exactly, is the defining characteristic of a privileged access management system?

Some people seem to think that it’s password management. Some even go so far as to call this product category a “password vault.”
But what about granting someone temporary access to elevated access rights in some other way? What about temporary group membership, or temporary SSH trust relationships, for example?

A few years ago, we renamed our software in this cateogry from “Privileged Password Manager” to “Privileged Access Manager” for just this reason — because there were mechanisms at play which have nothing to do with passwords.

I’m still thinking about what it is that really defines this product category, however, and I think I’ve hit on the *one* *key* feature. That feature is granting temporary access — i.e., adding a temporal element to an access grant. If you can control *when* someone gets access to something, then you create a much more interesting audit trail and have an opportunity to generate forensic data, such as screen captures and kelogging (among many others). The key, though, is *time*. You can run these commands as root/Administrator/whatever for the next 2 hours. You can do that either because you were pre-authorized or because someone approved your workflow request, but it’s bounded in time and space.

So that’s my thought for the day. Privileged Access Management is fundamentally a problem in the time domain.

Happy Monday. 🙂