Security Ripcord

I’m not a funny guy and I am definitely not an artist.  But, in the spirit of Stick Kung Fu, XKCD, and Deep Inspection, I couldn’t help myself.  Everytime I miss the waste basket I am reminded of why I work in this field.

I have to concede to Chris on several points of his latest post. I do so because:

1. He definitely has more experience, than I, deploying a variety controls in a variety of environments of varying size.
2. He definitely has more experience, than I, speaking to the capabilities of these controls and providing comprehensive and understandable analogies and examples.
3. He definitely has more time, than I, to correlate and integrate, free and expensive, disparate and concise literature and case studies to fuel his analogies and examples and employ them in a variety of circumstances.

After all, it is what he does for a living. And he is very good at it. That is why he is listed in my blogroll and the majority of the blogroll’s associated with my daily information security firehose. Hell, it is why he can list articles in many hard and soft copy information security publications.

Me, on the other hand, I am a security professional wielding my experiences and knowledge to the best of my ability to provide my employers and customers with the same level of service Chris provides despite my limitations due to time in service. I use my experiences with technology, interactions, and introspection to form my conclusions and present them as the very best solution for the situation. I will personally guarantee the deployment of every one of my recommendations and the provide mitigation suggestions when it is, as we know it will be, circumvented, exploited, outdated, outclassed, obsolesced, ineffective, unmanageable, flappable, overly expensive, or just plain wrong. In other words, I am confident and I am willing to make mistakes because I can fix them and the majority of the time I will not make them again.

I truly think that this whole blogging interaction started because of my attempt to be flamboyant about the topic to draw attention to it. Unfortunately, as most gussied up topics do, the central point of the discussion was lost for a while. Luckily, in his last post, Chris brought it back around. Let me try to talk about my point in very plain English.

I have a problem with vendors who are developing products that provide many security controls on one system (not UTMs, I’m talking firewalls performing a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell) and selling it as the ultimate solution for the perimeter of a company’s infrastructure. I have a problem with these solutions because the technologies they are combining on one system are not simple applications. They are robust technologies with a lot of complexity and I am afraid that the vendors will not take the interoperability of these technologies into considerations before they push them to market. I would much rather recommend to my employers and customers that we limit the utilization of such technologies to select portions of the internal network where they can provide the most value with the least concern. I feel much better placing tried and true simple, relatively speaking, controls at the locations associated with high risk. I don’t have full proof examples. I don’t have case studies to back up my hypothesis. I have my feelings and opinions. And, actually, since I am not dealing with Fortune 500 CEOs, CTOs, CISOs, and patent producing PHD weilding end users, I don’t really need it. In the realm of the small, limited budget, network, my feelings and opinions have been, to this point, sufficient.

Next, I don’t think I have a problem with purchasing a UTM to provide a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell because I believe that UTM developers have taken the complex nature of these technologies into consideration. I was hoping that somebody I know would respond by telling my, and their, readers whether or not UTM solutions are better than the “all-in-one” firewall solution advertised in the DarkReading article, and why. If I had to guess, because of my aforementioned lack of UTM experience, I would think that UTMs separate the responsibilities in much the same manner as role-based control.

Can anybody answer this question for me? It is all I really wanted out of the whole conversation.

So, Chris, I lay my King down so that we may reset the board and start the next conversation fresh. I think you are correct when you say that I need to provide more clarifying evidence during my conversations. I will take it to heart as much as I can in my day to day security related duties. I’ll even attempt to do so in my blogging. But, as my blog is more for personal edification, education, and venting I have a feeling that a few misguided and ill-informed opinions will slip in from time to time.

Go forth and do good things,

Don C. Weber

UTM, security, complexity, Security Ripcord, Chris Hoff

On the last day of DefCon 15 I had time to stop by the Immunity booth in the vendor area. Although he was very busy Dave Aitel did take some time out to speak with me. After a little small talk he pointed out a few of the things that they were promoting to the DefCon attendees.

SILICA
First was the Nokia N800 running SILICA. This penetration testing device is going for a cool $3600 and Immunity is selling it directly on their website. According to Immunity:

Immunity SILICA is a hand-held penetration testing product that leverages Immunity CANVAS to provide a unique testing tool for networks. Currently it supports 802.11 (Wi-Fi) and Bluetooth, and Ethernet via USB is planned for the near future.

Its slim, PDA-like profile allows the penetration tester to perform testing while behaving innocuously.

Very interesting. I would love to get my hands on one but cannot afford the sticker price. Of course, it would be even more interesting to see if there is enough memory to also include Ruby and Metasploit as David Maynor has done. How could it hurt to have both of these tools at your PDA fingertips?

Immunity Debugger
After looking these over Dave pointed me to Immunity’s latest release, the Immunity Debugger. According to Immunity:

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry’s first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.

• A debugger with functionality designed specifically for the security industry
• Cuts exploit development time by 50%
• Simple, understandable interfaces
• Robust and powerful scripting language for automating intelligent debugging
• Lightweight and fast debugging to prevent corruption during complex analysis
• Connectivity to fuzzers and exploit development tools

Although I have very limited experience with debuggers Immunity seems to have put together a package that is very user friendly. Hopping between analyzing source code and GUI based flow charts seemed very helpful and I could easily understand how a vulnerability in one section of code affected and was accessible from throughout the whole program. One interesting aspect of the Immunity Debugger has nothing to do with actually analyzing code. Rather, it has to do with companies advertising for programmers and researchers right through the tool. As Immunity Debugger is free for download one way that Immunity has decided to support the product is to allow employers to insert advertisements for job openings. Now companies can have a direct link to the individuals they would like to locate, specifically, persons who are familiar with debugging programs. A unique and interesting approach. Although some companies would probably like to turn this feature off, this is just the cost of a free tool. I am willing to bet that Immunity would be willing to do it for a small fee, or perhaps there is a module that can be excluded when compiling the tool. That would also depend, however, on Immunity releasing the source code for this debugger and I am not sure if that is the case.

UPDATE: I just discovered something that was worth an update. I downloaded the Immunity Debugger. First it required a simple registration and then I received the Windows Installation file: ImmunityDebugger_setup.exe. Yes, Windows Installation Executable file. I would think that if this is written in Python that I would be able to run it in Linux at least. Big deal? No. But I was surprised.

Immplant
After reviewing the Immunity Debugger, Dave handed me a little piece of paper. It contained information about a future Immunity product that they are trying to drum up interest in. The product will be called Immplant. Here is what the paper said about the product.

A penetration tester often finds themselves in the position where they have access to a physical host for a short time, but they do not have a user name or password on that host. Immplant is revolutionary technology from Immunity, makers of the market leading CANVAS penetration testing software that allows penetration testers to leverage temporary physical access into permanent remote control.

Immplant is deployed as a PCI card, which can be quickly and easily installed on typical desktop machines. This card then wakes up when the machine is booted, and injects code into the operating system which causes it to call out to your listening post securely. Because Immplant is hardware based, software protections such as anti-virus cannot prevent it from operating and it leaves no traces on the hard drive to be analyzed.

Immplant, not being resident on the hard disk, ignores full-disk encryption, patches, and many kinds of OS upgrades and reconfigurations.

Basically, this is a hardware device that will pump a shell back to a remote computer. I guess this is the same premise as subverting video cards or other hardware devices. But I am a little concerned about the statement “it leaves no traces on the hard drive to be analyzed.” Certainly, this type of device will not require software written to the hard drive but there is still the issue of memory. Unless the device can insure that all of its activity is restricted to RAM then I guess it would be very difficult to detect during analysis. But if any of the information gets written to the page file or swap space then I imagine that there would be something to analyze. Even if it is not immediately obvious there should be a way to identify and correlate information with this device. After all, that is why we have forensic analysis. When I queried Dave about this he did not have the answer and the person who did was attending one of the sessions at that time. The next thing that interested me was the communications protocol. I assume that they will be tunneling the communications over HTTP or HTTPS. Dave also did not have a response to this question but this time I felt it was more due to the fact that they were still working out different methods for communications or, very possibly, he didn’t want to give out that information.

Personally, I don’t think organizations who are doing proper security will have a problem with these devices. Unfortunately, the average home user will not have the protections in place to prevent the installation and activity of this type of device making this a interesting tool for a private investigators, parents, or even the system administrators that want to maintain a guaranteed connection with a computer. This could have a positive impact on locating and controlling stolen computers. But, could you imagine if a small mom-n-pop computer service business started implanting these as a “service” to their customers? And, hopefully, Immunity has the common sense not to let the GeekSquad get a hold of any of these.

Go forth and do good things,
Cutaway

Immunity, SILICA, Security Ripcord, Immunity Debugger, Immunity Immplant, Nokia N800 DefCon15 Metasploit, Dave Aitel, David Maynor