An Apple, Today, Gave Your Data Away

I'm not really huge on writing about events in the news but this one seems pretty huge and I think there are some people that might not see the implications.

http://www.theregister.co.uk/2011/08/26/mac_osx_lion_security_hole/

Basically Apple's new OSX 10.7 (Lion) allows Macs users connected to a domain to log in as any other user on that domain. If you're and administrator and you have someone on your domain using 10.7, then that means they have access to the administrator account, the nice HR lady's account, and Joe the CEO's account (or Kieth the Chief as it may be).

I'm not saying OSX 10.7 machines connected to a domain are prolific or anything or that would be attackers would need OSX Lion to subvert LDAP authentication. It's kind of like a lock on a glass door, it's not actually a security mechanism it's just there to keep honest people honest.

Think about it, if you have an ambitious employee with open access to every piece of data on the domain what kind of trouble could they get into? They probably don't want to actively damage the company in any way, but they might accidentally release company secrets before the press release to stroke their ego. Potentially worse is if they find something that upsets them. When things like payroll or personnel records make it to the general work-force morale and trust can take a huge hit.

Now imagine all of that with a disgruntled employee or an attacker with something more to prove. How much easier would the three Arizona Department of Public Safety attacks have been for the attackers if all  they had to do was snag one administrator password? How much more detrimental would it have been? I imagine lulzsec/antisec probably wouldn't have bothered with any other attack since they would have been able to connect to the domain and freely exfiltrate anything they wish. More over strong passwords wouldn't have been a limiting factor. Surely they didn't get access to EVERY domain account, what information was left for them to pilfer?

Long story short, attack vectors like these are being discovered all the time. We have moved out of the Information Age and are moving into the Security Age and it's time to take these threats seriously. I'm sure AZDPS believed they couldn't be the target of a cyber attack and so did Bay Area Rapid Transit Authority. But the reality is as soon as an LE agency or private company makes the front page, they're a target.

Cyber Command Should Have a Football Team

People keep asking me, “Lee what tools do you use?” or  “have you ever configured an xyz network device?” When I answer them, either they are surprised because I tell them it doesn’t matter which tools persons uses, or they look at me like I ride the short bus because I tell them I don’t care what kind of firewall they use because they’re all pretty much the same to me.

We’ll, to get off on a vendor rant for a second... Firewalls are either stateful inspection or they are not. They have well written rules or they do not. And if someone manages to set one up without logging enabled it is of no use to an Incident Responder. All of the above has nothing to do with a specific vendor (Although they will fiercely argue that point!) but the way the engineer sets it up. So it doesn’t matter to me which firewall a company uses because it’s up to the person that deploys it to do a good job.  

Firewalls, platforms, and entire industries aside... the point I have the hardest time getting across is that information security is not a technical field. People generally think of hacking the Gibson or some arrogant kid with a 2 foot red Mohawk writing a virus. Sure there are technical aspects of it and it’s best if you have some of those skills but security has a lot more in common with playing football than it does with any one tool.

Security is a mindset. It is not the measure of a tool, the number of machines in a botnet, or the complexity of a new exploit. Security’s methodical mindset can be applied to any situation regardless of environment. It is about having an explicitly defined understanding of a goal, a clearly defined target, knowing which resources you need, and knowing how to take the correct actions.

This mentality can be described perfectly when compared to football. A linebacker’s primary goal is to prevent positive yardage for the opposing team. The secondary goal is to create negative yardage for the opposing team. To prevent positive yardage, it is important to learn the behaviors of the quarterback, running backs, and other players that are directly involved in creating positive yardage.

A successful linebacker eventually learns how the combination of body language, formations, and players on the field translates into actions performed. Achieving the second goal is generally more difficult as it may require actual research or information from a third party. The linebacker needs to search for holes in the opposing team’s defense and then test them to see if he can gain access.

To take those actions and effectively generate negative yardage, the linebacker needs good information combined with opportunity. Opportunities come and go but much the information should be gathered beforehand. The linebacker should have researched which of the opposing linemen is left-handed and which is right. He should have also Answered questions such as, ”which players are injured and where, which players stayed up too late having a good time; which, if any, are at odds with the quarterback; and finally determine the skill level of each player.” Like anywhere else, the more information that is gathered the more effectively goals can be achieved.

On the surface, the goals in an information technology environment may seem different; instead of sacking the quarterback the goal may be to deface a web site or exfiltrate data. If you step back and reduce the situation back to it’s methodology the goals are identical. The first objective in defacing a web server is to identify it’s exact location which is comparable to the linebacker figuring out who has the football. Next the attacker needs to find a method of gaining access to the server.

This would be the linebacker finding a route to the player possessing the football. Once the location is identified the attacker will typically achieve access either through the use of valid credentials or with exploits. In parallel, when the linebacker is trying to bypass all of the opposing players and gain access to the ball; he has the same options. Although highly unlikely, the linebacker can do this by wearing the other team’s uniform (using valid credentials) or he can find a hole in the in the opposing team’s defense (an exploit).

Once the attacker has access and the linebacker has found his route, it is possible to leave a “back door” or attempt to escalate privileges. This part of the attack doesn’t translate as well to the football analogy, but the linebacker essentially has the privileges he needs to make a tackle and football’s version of a back door might be identifying a weakness in the opposing team of which they are not aware then trying to prevent them from finding it. To complete the analogy, the attacker’s privilege escalation is what allows him or her to make the tackle and deface the website.

Security is a mindset. When you apply that mindset to information technology it’s important to know the underlying protocols and the basic methodology behind infrastructure deployments. It is this understanding that allows an information security specialist to know which data to look for and only then are they properly prepared to select the tools required to obtain the relevant data.

What?! Another New Security Blog

So why start a blog and why call it “Cyber Front Security” and what do I offer that no one else does? Well… The short answer is I want to contribute to the community. My intent is to write this blog with a law enforcement audience in mind. Seeing as how I'm new in the field, I'm plan on posting a lot about getting into industry, what it takes to move up, and the type of challenges are to be expected. 

But the real answer is that I’ve spent my entire life learning and training to be in the military only to have life happen and tell me "it wasn't so". So in 24 hours I went from knowing what I was doing for the next several years to feeling like this guy after he lands:

                              It’s really freaking cool until you face plant the big wooden target! 

I had just resigned from working the radio at the local PD in anticipation of leaving for the military and I was left thinking, “well crap…. what am I going to do now?”.  So I called up my friends in the industry, went to a TON of conferences, and rebuilt my home lab. I knew my knees weren't gonna get any better and I knew which skill sets I was going to need.  So I improvised; I started full time back in college and started attending those conferences so I could learn, meet people, and show something positive in the gaps on my resume. I adapted, I further developed the skill sets I would need to be successful in a corporate world. I overcame; I've found my niche.

I under stand policing, I speak the lingo, and I know the people. Walking into a police department and telling them their network is insecure is easy (dealing with a bunch of officers that are now cranky... not so much!). Getting them to trust you to fix it is another thing entirely. People that carry guns for a living don't trust other people that don't. It's because they see what people are capable of every day and they're always the ones coming to save the day. It's difficult for them to sit on the other side unless it's for someone they already know they can trust. 

Way back when I was young... (I can already see the baby face jokes coming!) I decided I really liked computers. I was playing Reader Rabit and the Oregon Trail on my trusty (or was it dusty?) old x386. I built (and set flame to!) to my first computer before I was 10, I played at cracking passwords, live CDs such the original auditor, the forerunner to the now popular backtrack.

For the past couple of years I’ve been working in the communications division of my local police department. I earned my GCFA a couple of months after I was hired and started helping the Intelligence unit with forensic analysis. But there wasn’t a huge caseload and of course I was a young, n00b FNG. It was really just a matter of time before I made a career out it.

Well here I find myself, fresh in the field as a Security Analyst at InterDev (www.interdev.com) and the sky is the limit! I’m working on all kinds of new and exciting projects with a law enforcement emphasis. We’re starting to develop some partnerships that I hope will help the law enforcement community get the help they need in fighting on the front lines of cyber security. 

This blog is just one of the incarnations of my newly acquired career plan. I'm working in security now and I'm focused on working closely with law enforcement to defend against and take action on cyber crime. I don't think it will be long before law enforcement will be entrenched on the front lines of cyber security.

I'd like to throw a special shout out to Chris Pogue, Grayson Lenik, and, Rob Lee for all the help and guidance, the opportunities, and their contributions to the community. There's no way I would have been able to get started so well without their help.

And of course I can’t leave out Harlan Carvey’s RegRipper and Kristinn Gudjonsso’s  log2timeline for making analysts everywhere look like geniuses!