Security Ripcord

Thomas H. Ptacek of Matasano Security asked a question to all of the Twits following his tqbf twitter account:

Quick, Twitterverse. You put a “canary” email account in your database to see if you get owned. You start getting spam to it. NOW WHAT?

I only had time for a quick exchange and I couldn’t follow along with all the responses in real time.  My answer basically boiled down to:

@tqbf I’m coming in late but here is my quick answer Don’t panic if you have implemented a canary you have a IR plan. Follow it.

Let’s set up the situation a little bit to ensure that everybody understands what Thomas was referring to as a “canary.”  I am fairly certain that most everybody understands that miners use to take a canary with them to act as an early warning system in the event of toxic gases.  In this case an extra entry has been created in a database that is supplying information to another application (internal or external) to help provide a warning that the application or database has been compromised.  The thought process being that the only way that knowledge of the email address associated with the “canary” entry would be if there was a compromise.  Although you can tell from his tone (especially if you understand Thomas’ usual approach to showing that something does not make much sense), Ryan Russell pointed out that Thomas was most likely making a statement that the canary was “stupid cause he thinks there’s no IR that makes sense or that anyone would do.”

I am not going to recap any of the responses to and from Thomas as you can do it yourself should you have time to click back and forth through the twitter accounts Thomas responded to during the exchange.  I would like to follow up on my comment and how I think a canary record in a database may be helpful.

What does the canary in this situation really represent?  Basically, it is a mechanism to help you identify when your other controls have failed for any number of reasons:

• poor configuration
• bypass
• not monitoring the attack vector
• user error
• malicious insider
• [insert your own here]

It is one more piece of the defense in depth that may come in handy.  It is not designed to provide any more information other than the fact that an event has occurred that has exposed the canary to the real world.  Utilizing it an a number of ways may help provide more information about when, how, and what happened but most likely if will not.

What should you do if you start receiving email to a canary email address?  I stand by my very first statement.  DO NOT PANIC.  You received an email to an account.  That is all.  Until more information about the activity can be determined there is no specific methodology, outside of an incident response plan, that should be implemented.  The database server and application server do not need to be imaged and forensically examined on this information alone.  You could do so, but it is a knee-jerk reaction that could be, and more than likely is, wasting valuable time.

Hopefully, if your organization has implemented a canary it has also developed and tested an incident response plan.  The person monitoring the email account who has detected the anomaly should initiate this plan.  More than likely this will initially pull a limited number of key personnel together to evaluation the situation, identify what is happening, and decide on a course of action.  If your company does not have an incident response plan then you should read this paragraph again and use it as the basis for your initial reaction.  Pulling the proper personnel together right off the bat will help narrow down the events that have transpired and thereby initiating a more focused and proactive response.  More than likely that will begin with more information gathering to get a better understanding of the situation.

Now some people might still argue that to be on the safe side the database and web applications systems should be forensically imaged or even taken off-line.  I noticed from some of Thomas’ tweets while getting the links for this post that he did receive some of these responses and he pointed out, rightfully so, that it more than likely would not be cost effect, even extremely detrimental, to take either system offline.  Although a system can be imaged while running, there is always the risk that while doing a live response and copying memory and/or all internal media that there will be a system failure thereby bringing down the database, application, or even the whole server.  Now wouldn’t a incident responser look a little silly if they brought down the only web application servicing a business’ e-customers just to discover later that the email address was leaked out when an internal document detailing the canary methodology, including the email address, was leaked to the world by an internal user and their authorized/unauthorized peer-to-peer file-sharing software?  That’s a BIG opps that could have potentially been avoided with a little investigation and a little less knee-jerk reaction.

After thinking on whether the canary in the database method is a technique that should be implemented I have come to the age old conclusion: “Maybe.”  What it really boils down to is what other actions has an organization implemented to prepare themselves for the day that the canary account does start getting email.  There will be no way to begin answering the questions pertaining to root cause for such a leak if the appropriate logging on the network, operating system, application, database, and other controls has not been implemented.  If you cannot accurately determine the details behind an event then you cannot determine the details behind an incident. Having a canary in this situation would only lead to too many meetings, poor response efforts, and more money in resources and man-hours than an organization is capable of absorbing effectively.  That said, with the proper controls and incident response plan in place, a canary record in a database, a canary file in a file-share, an embedded html tag in a document, or a network monitor on a dark net are a few techniques that only take a few minutes to implement but could provide valuable information about an event and possibly and incident.  These could be leading contributors to detecting and reacting to an unforeseen threat or newly exposed vulnerability.  Although simple, they could be the piece of the puzzle that allows an organization to close the gap between the incident and the initial response.

Go forth and do good things,

Don C. Weber

As I mentioned in the SMTP Server Security post, “I have just finished writing a paper for a SANS‘ initiative that Stephen Northcutt is working on.” I have recently learned that this paper has been accepted for the SANS MGT512 Courseware Update and, in whole or part, will be influencing Security Managers from around the world when it is introduced into the SANS course rotation. For those of you who are not familiar with the SANS Security Leadership Essentials For Managers with Knowledge Compression here is an excerpt from the course description.

This completely updated course is designed to empower advancing managers who want to get up to speed fast on information security issues and terminology.You don’t just learn about security, you learn how to manage security. Lecture sections are intense; the most common student comment is that it’s like drinking from a fire hose. The diligent manager will learn vital, up-to-date knowledge and skills required to supervise the security component of any information technology project. Additionally, the course has been engineered to incorporate the NIST Special Papers 800 guidance so that it can be particularly useful to US Government managers and supporting contractors.

Attending this course will help Security Managers achieve the GIAC Security Leadership Certification (GSLC) which is required for those who are responsible for being in compliance with DoD 8570 IAM Level 1, 2, or 3.

I worked hard on this small little piece of the puzzle and I am very happy that it was included. I would like to give you a little taste of the write up here but I am afraid that you are just going to have to register and complete the course. I can tell you, however, that I did manage to work in a quote about data loss prevention by my friend Rich Mogull (get well quick, Rich) over at Securosis and the Network Security Podcast which he wrote for Network World back in February of 2008.

Although an important topic, DLP is an evaluation of “an overview of major gateways, data repositories, and endpoint management infrastructure” which should be performed as its own initiative.

So I did spread the love, at least a little.

As to “Influencing Security Managers AROUND THE WORLD!!!?” Well, it is a big job, but somebody had to do it. Actually, I am glad I could contribute even if it was just a little bit.

Go forth and do good things,

Don C. Weber

P.S. Remember, I am a SANS Affiliate. If you are going to be attending any SANS classes start by clicking on a link from this site. SANS will kick me a few bucks that will help contribute to my training and conference appearances. My, and Security Managers AROUND THE WORLD!!!, thanks in advance.

SANS, security, email, smtp, Security Ripcord, SANS MGT 512

I have just finished writing a paper for a SANS‘ initiative that Stephen Northcutt is working on. Although I do not have permission to provide it here (yet) I thought you all might be interested in some of the resources I have tracked down relating to this subject. There is no particular order and some of the information may be redundant, but here you go.

General guidance SANS Top 20: http://www.sans.org/top20/

Open relay source: http://www.spamhelp.org/shopenrelay/

Mail relay and spoof source: http://www.defendingthenet.com/Newsletters/HackingSMTPGatewaysCommandReference.htm

Open relay mitigation source: http://www.mail-abuse.com/an_sec3rdparty.html

Mail relay testing source: http://www.abuse.net/relay.html

DoD bans webmail source: http://www.sans.org/newsletters/newsbites/newsbites.php?vol=8&issue=102

Microsoft 2007 Security Guide: http://technet.microsoft.com/en-us/library/bb691338.aspx#BestPractices

Email spoofing source: http://www.windowsecurity.com/articles/Email-Spoofing.html

How email works source plus securing your server: http://www.ftc.gov/bcp/conline/pubs/buspubs/secureyourserver.shtm

Server security source: http://spamlinks.net/prevent-secure.htm

Spoofed email source: http://www.cert.org/tech_tips/email_spoofing.html

spoof detection source: http://www.fraudguides.com/internet_detect_spoofed_email.asp

Linux Journal article: http://www.linuxjournal.com/article/5753

7 reasons why HTML e-mail is EVIL!!!: http://www.georgedillon.com/web/html_email_is_evil.shtml

Expert warns of security dangers from webmail: http://www.itwire.com/content/view/2373/53/

Internal/External email server: http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

SMTP Security: http://technet2.microsoft.com/windowsserver/en/library/ded0ca67-f81c-49ad-91d4-cb21bc91dd0b1033.mspx

Data loss prevention: http://www.networkworld.com/columnists/2008/020408insider.html?fsrc=rss-security

Go forth and do good things,

Don C. Weber

SMTP, Server, Security, email, SANS, Security Ripcord, Stephen Northcutt

Most of you might not know that there was a fake police officer pulling people over and getting free meals in the area s surround League City, Texas which is just southeast of Houston, Texas. In fact the news did not pick up the story until December 12th, 2007 when my wife’s oldest friend was pulled over and questioned by the imposter.

The cool thing about this story is that the news coverage did not help capture this person. In fact, it was an email from my wife’s friend to several of her friends in League City. Then the viral marketing began. Apparently, this email spread through League City like wild fire and a strong wind. Eventually it got back around to a woman who thought the description of the individual, his clothes, and his vehicle sounded very similar to her husband. After that it was game over. The police had the man in custody that evening and now the world is safer, all because of one email.

The concept of phony police officers is not new. I’m sure that posing as a person in a position of authority goes back to the advent of civilization. But how can law abiding citizens protect themselves from falling victim to these types of persons? After all, it is the natural instinct of most law abiding citizens to not question authority as was the case with my wife’s friend. However, people should act on their suspicious if they feel uncomfortable about a situation. I have a few recommendations for people who find themselves on a lonely street, in the middle of nowhere, and feel uncomfortable about letting a stranger approach their vehicle and, verbally or physically, remove them from the vehicle.

Disclaimer: All situations are different. Use your own judgment as to how to protect yourself. These are merely suggestions to get you thinking down the right path. YOU are responsible for your personal security.

• Cell phones are your friends. Dial 911 and start talking with the person on the other end. Police departments usually know the exact location of all their officers. 911 operators are most likely trained to handle this situation. (No, I have not had time to call and verify). The 911 operator will be able to tell you if a person is a police officer or even dispatch a police office in a clearly marked vehicle and uniform.
• Always keep your doors locked when you are driving. It is much harder to car jack somebody when the doors will not open.
• Remain calm and think. Panic breeds rash decisions like speeding off and possibly crashing during a high speed pursuit.
• Do not speed off unless you believe it is absolutely necessary to save your life. It is very hard for a person to chase down even a slow moving car. If you drive off do so slowly and remain at or below the speed limit until you come to a safe place that you can stop. If you are obeying traffic laws most police officers are not going to forcibly stop you until they have backup, which is what you want.
• If you do drive off start thinking about a safe place to stop. Think of a place with lots of people or where multiple people will notice your arrival. Open gas stations are good because they are surrounded by open glass and the attendants will usually notice a vehicle approaching. Drug stores, although usually open, are not so good because the attendants don’t know anybody is around until the front door opens.
• Police do not need to touch you do give you a ticket. Do not roll your window all the way down. You can give them all of the information they want through a small crack in the window. If they ask you to roll down your window, politely refuse. If they keep insisting explain that you would like to wait until another police officer, in a separate vehicle is present. This way you cannot be grabbed or assaulted with most weapons.

If you have more recommendations, please leave a comment, especially if you are a police officer. People need to know the best way to handle this situation while protecting themselves from the Taser of a frustrated police officer.

Go forth and do good things,

Don C. Weber

taser, police, imposter, security, Security Ripcord