It’s always interesting reading about larger scale fraud like this one recently with the Bank of Queensland. You wonder in cases like this, had the accused pulled the pin earlier, would he ever have gotten caught? You wonder how many do get away with it – stopping before obvious alarm bells start to ring?

There’s no generic solution/strategy for fraud detection to critique, as each organisation addresses it’s own internal security and risk management practices differently, but there is a scary pattern of misguided thought in regards to securing systems and actually defending against, and detecting fraud. It’s “security” by definition but are many blinkered in regards to what the full definition of “security” encompasses? I think so.

Many in the security industry are focussed to the point of obsession on only vulnerabilities and technical attack vectors (new attack type X, new attack type Y – all generally old stuff just re-invented in different ways but promoted as new big things by many in the industry). It’s such a narrow focused view that stops at the technical exploit. That’s not where the role of a security professional should stop. Read on:

(more…)



It’s been almost 2 years since Declan Ingram did this presentation at Kiwicon that looked at perimeter security – IDS/IPS/WAFs/FWs etc and “Managed Services”.

Listen to the start of the podcast for the introduction….some good stuff…..and then the full presentation starts at 14:50. As Patrick Gray of Risky Business says; “If you are a Chief Security Officer, this is a must listen”:

http://risky.biz/netcasts/risky-business/risky-business-49-your-shiny-new-ips-wont-save-you

Talking recently to a client who is about to go into RFP for a “managed services” solution highlighted to me that many organisations are still struggling to understand what it is they actually want vs. what they will actually get/end up with. Accountability hand-balled? Better Security? Meeting Compliance? What do they want? Read on:
(more…)



Setting the scene with recent somewhat provocative posts to generate some thinking, debate and discussion to get some interest before some context and substance in this post. Hopefully. And yes, a heap of emails, tweets, DMs and phone calls received today. (Gees, not bad for a Sunday. Do infosec dudes ever switch off and have a break?). To be honest, while most were supportive, a few were asking me what the hell I was basing my points on, and was I shooting myself in the foot with some vendors now and in the future? (Hey, big assumption that anyone actually reads this stuff I write). For the latter, I probably was/am but as most people know, I am not scared to put my opinion out there for critique, flames, but most importantly, as mentioned, to generate thoughts and discussion. It’s not a glory boy thing and it is what it is and I don’t profess it to be anything it is not. (Refer to top right corner of home page for the disclaimer).

So getting to the point of this (…finally you’re probably thinking). WAFs are an easy target to generate discussion (polarising more than most other technical topics at present), but I’m not just talking about WAFs here. They’re just the example. It could be anything from technology entrenched into our industry, through to strategic thinking and approaches that look at where our industry is, where it should be and most importantly, the steps to make valuable, and most importantly, significant steps to improve IT, business, home and society in general. Read on:

(more…)



I can’t believe the number of security “specialists” (many well known guys) who have jumped on the Web Application Firewall bandwagon! (WAF, f**king hate each new acronym). Amazingly, these dudes have done it all….by chance/coincidence to coincide with PSS DSS requirement 6.6! Where were they before this???? All  heroes now! Put your hands up! Driving business….that is it….oh wow….I discovered a vendor that does this!

If your favourite blogger per chance is all of the sudden lately a fan of a WAF and helping push a product, I reckon you need to think about what they are doing! (talking to industry dudes, cred may have already be gone). Were they 12 months ago pushing the same message? Are they now a QSA (not that that matters so much but may ride on PCI DSS  6.6) and using that to drive business?

Has our situation changed that much that previous anti-WAF dudes are now sold on the benefits?

(more…)



“The cloud…..so pretty!”….thanks Wade for pointing me to this one at loglogic. This opened up a bit of discussion between a group of us on this “security in the cloud” business. Thought some of the comments would be worth putting together.

Some of my thoughts were previously covered here also. Anyway, the following are some of our ramblings. Feel free to add your comments.

(more…)



I’ve had the following posted on IT Security Link:

The Great Managed Perimeter Security Services Swindle 

Good luck to the team there with their new site.



Declan Ingram, Securus Global Practice Manager talks about IDS/IPS security at Kiwicon 2007. Broadcast here at Patrick Gray’s excellent weekly IT Security broadcast, Risky Business.

Synopsis: “When you consider the system as a whole, there are plenty of ways to bust an IDS / IPS. From the wire to the incident response team we will work through various limitations and examples of potential mischief.”



Picked this up from RSnake’s site. Worth a look…this is part of a larger 20 minute documentary he says.



New technologies, some new approaches and a plethora of products (wrapped up in fancy new terms) keep appearing on the market, but, what’s really changing in terms of bottom line protection and security?

www.computerworld.com.au/index.php/id;748050467;fp;4;fpid;16
www.computerworld.com.au/index.php/id;349496118;fp;16;fpid;1

From what we are seeing, a reliance on technology alone is still rife out there. Organisations are still buying IDS / IPS systems and see these systems as the silver bullet to their perimeter and in some cases, internal security needs.

I asked some of the Security-Assessment.com team recently their thoughts on IDS / IPS and firewalls and what impacts we have seen in our ability to perform web application / penetration testing. Here’s a summary of some of the comments. I hope you find this interesting:
———————————
The success of these things as we all know depends on the implementation and skill of the analyst deploying and managing the systems. Even then, to rely on these things as the solution is dicey. In the majority of cases, they just don’t end up doing what they were purchased for. An easy test that most fail is with basic port scans (that almost all are configured to pick up). We assume most are picking up “loud” scans (really fast and obvious scans with no attempt to be sneaky about what we are doing), but few people are pulling us up on this. (Keep in mind, with a majority of our tests, we recommend that clients don’t tell the operations team responsible for monitoring these devices that we are going to test – thereby, we also test the response effectiveness). Where such packets are being dropped, as we expect they would, by slowing down the scans, we generally get the desired result we’re looking for!”

Most of the IDS we come across is Snort. While it is a real-time IDS, people use it as a batch mode audit tool, to review data after the fact. This doesn’t effect our testing. Few non-government client’s perimeter defences actually impact upon our ability to perform our testing work. I can’t remember the last time this happened. We generally only get picked up (and even then, just on basic port scans – nothing clever) when the network team knows there is a test on at the time – otherwise, it’s free reign – standard at the application level.

An IPS only forces the attacker to know their exploits better, and take things slower. For instance, an IPS may drop all packets that have NOP sleds in them (0×909090 etc) which is used in a lot of (kind of sloppy) buffer overflows. It is however possible for an attacker to stop the IPS from seeing this. Eg:

1) remove the NOP sled and calculate the return address in the exploit properly.
2) play with encoding of the data and fragmentation of the packet
3) encrypt the packet.

Point 3 brings me to the major point about IDS / IPS. Network Encryption. Anything of value should be encrypted, and when you stop the bad guys from seeing your traffic, you also stop the good guys. There are ways around this, but the people who engineer the IDS/IPS implementations don’t always think it through. Sometime the mere existence of traffic is enough to cause alarm, without even needing to know what is in it. For instance, an SSH connection from the Internet to an internal host or an unauthorised VPN terminating on a workstation. But not always. HTTPS to web servers is often missed – which is a critical one.

As we know, the way around this (and many many other IDS/IPS bypasses) is proper design and administration. There are only a handful of people in Australia that know how to run an IDS properly….. and fewer companies that are willing to pay for their IPS to be administered to a useful level.. the whole system is just so expensive – with most implementations being a waste of time and good money. I could go on for hours.. but I guess that gives you the idea :-)
————————————–

Personally, I just don’t see application inspection on web traffic. Of all the web jobs I have done in the last 3 years, not one carried a front end ‘box’ with the solution.
—————————–

In some cases, particularly with a certain FW’s application intelligence enabled (about 10% of jobs) our port scans get trapped in an endless loop and cannot properly complete. But even with this enabled, there is nothing to restrict what sort of packets reach web servers because all network firewalls pretty much allow anything through to 80, 443. Still haven’t come across an effective application layer firewall in our testing (or if I have I never noticed since it didn’t impact testing!)

IDS/IPS inside the network… rarely ever are effective because:
- they may remain un-updated with signatures
- no resources for log inspection/correlation/reporting/incident mgmt (unless you are military?)

Also, in many jobs, we find firewall rules are not secure enough. i.e. you can get past certain rules by flipping your source port or other parameters to certain values :-)
—————————————-

In summary, we are seeing a growth in the deployment of perimeter defences but surprisingly, we’re not being impacted in our ability to crack system defences and discover major weaknesses in the network and application environments. So what are these systems doing in most organisations?

www.securityfocus.com/firewalls
www.securityfocus.com/ids

On the flipside, very few organisations are investing in vulnerability assessment and management solutions – go there first I would recommend and proactively fix your vulnerabilities so even if someone or something (eg; worms) get by the FW, IDS and IPS (and they will!), there shouldn’t in most cases (I say most), be anything to do on your hosts and other network devices. Applications are another beast – develop securely and test, test, test – throughout the SDLC and regularly in production!

The Jericho Forum approaches perimeter security from an entirely different vein. If you’re not up to speed with what’s happening here, it’s worth a read.

www.opengroup.org/jericho/

Posted in: Firewalls, IDS, IPS