Monthly Archives: October 2012

Active Directory Unification and Attribute Cleanup

I recently posted about Active Directory Unification. The main points were (1) that there is value in AD consolidation and (2) that there's a right way to do it to meet the intended goals.

Sander Berkouwer posted earlier this month on Active Directory attribute integrity. He makes the point that with all the tools Microsoft provides to enable tighter management of identities and access (FIM, ADFS, ADRMS, DAC), Active Directory Cleanup is more important than ever. Berkouwer writes:
"When these attributes are inconsistent, access to files, apps, partners and cloud functionality becomes inconsistent. If you think it won’t happen to you, think twice. During the first internal Microsoft deployment of Dynamic Access Control, attribute inconsistency was the first encountered problem."
Absolutely.

Most people that I speak with jump into the benefits that cleanup will have on the AD Unification process. The reality is that the real value of cleanup is enabling the right functionality and access controls after the unification process is complete. (Of course, as I wrote, it's never really complete - it's not a onetime event.)

It's worth making the distinction.

Drunken Security News – Episode 305 – October 18, 2012

Incident Response in 3.08 MB - Always nice to see folks, like our good friend and Stogie Geeks co-host Tim Mugherini, writing about tools that work. This product just sounds useful: The idea behind Carbon Black (CB) is to monitor code execution. A small Windows agent is deployed to each host throughout the enterprise. This agent hashes each process, monitors the sub processes, module loads, registry edits, file writes, and network connections. Digital signatures and the activity of each binary is stored on the CB server.

National Weather Service Hacked - In other news, snow storms are reported in Miami, earthquakes in the mid-west, and its been raining in San Diego for 3 weeks straight, but sunny and 75 in Seattle. CSRF and XSS strike again! The Importance of Security Awareness - User awareness is still kicking around, and everyone seems to have a different take. One thing we all agree on is that it leaves gaps, which is why you need other stuff to protect your organization. After exploring this topic, I am of the opinion that you need an awareness program. There are several companies providing this type of service, go seek them out, get a solution to educate your users that fits you, and your budget/ROI, and run with it. I firmly believe this is something everyone needs to have, just like a firewall or IDS (as lame as that sounds). Know how much return each defensive measure provides and use it accordingly.

Zero-day attacks last much longer than most would believe - This speaks to the huge problem we have with software security. On average, its takes 10 months to uncover a 0day vulnerability. Yikes, 10 months is a long time and a lotof damage will occur.

Pacemaker hacker says worm could possibly 'commit mass murder' | Computerworld Blogs - Barnaby Jack strikes again, in what could be a huge problem. This is something that has always bothered me, what happens when criminals take advantage of technology to damage people? Sure, many evil hacking groups launch DoS attacks and break into places like Sony. Thats the least of our worries, as when attacks can affect people's health and well-being on a mass scale, its a game changer. We've seen some car hacking stuff, but pacemakers hit the "heart" of the matter. The response seems to be as much diluted as it always has been, lots of finger pointing and disbelief.

Dan Kuykendall – Episode 305 – October 18, 2012

Interview Dan Kuykendall

Dan manages NT OBJECTives’ software development and has an extensive background in web application development and security and is co-host of "An Information Security Place" Podcast.

How did you get your start in information security? We are seeing the proliferation of apps using JSON, AJAX, REST, etc. These apps have vulns that aren't being tested by scanners and people don't know how to test them, yet there are serious vulns there. What about HTML5, what are the new vulnerabilities and protections? How can we test them? What are the challenges, and solutions, for an automated scanner to overcome authentication? How do you handle technologies such as Flash? Which seems to have more vulnerabilities, in-house written apps, open-source or commercial? Or are they all even? What advice do you have for folks looking to acquire an application to solve a business problem? Scanners traditionally have trouble with certain vulnerabilities, which ones are the most problematic? Are people testing them by hand? If so, what can you do to be the most efficient? Scanners haven't really kept up with the application technology and the coverage gap is widening. Scanners need more application coverage. They will never cover all of the app, but they should cover more. What are your thoughts on that as pen testers? How do you balance manual and automated testing? Which vulnerability, with respects to web applications, goes unnoticed and unlatched the most? What training options are available for application developers? What advice do you have for folks who want to get started and learn how to test web applications for security?

WordPress Insecurity, Drunken Security News – Episode 304 – October 11, 2012

Guest Tech Segment: Charlie Eriksen on Wordpress plugin security

In this technical segment, we will look at Charlie Eriksens research into Wordpress plugin security. By searching large amounts of code for code that is often insecurely written, it is possible to find a large amount of vulnerabilities in plugins running on thousands of Wordpress sites across the internet.

Stories

How Your #Naked Pictures Ended Up on the Internet The Security-Conscious Uncle - Yea, I'm talking about ATM card security. After reading this, and hearing my thoughts and views on Debit cards, I want to keep my money in my own safe. Banks make it so hard to keep your money secure. I don't want a Debit card, its a ridiculous concept that only benefits the bank. I want more than a 4-digit pin number too. My best advice is to only tie your ATM card to an account with a small amount of cash to limit damages, if your bank even allows you to do that. No homecoming queen vote if you don't wear RFID tag? - I'm sorry, I don't want to wear an RFID tag. Tracking students has gotten way out of control. I proved how you can clone RFID tags in a MA CCDC compition. So, students, if you want a lesson on how to become any one of your classmates, please come find me. Hacker wins $60 - Don't get me wrong, I think this is a good thing. The more we encourage legit folks to find vulnerabilities, the better. Firefox 16 pulled offline following security flaw find - Firefox is becoming the new IE! Mobile Brings a New Dimension to the Enterprise Risk Equation - I think I've solved the BYOD problem, just buy all employees brand new iPhone 5s, manage them with an MDM (like Apple Profile Manager) and everyone is happy. I think this comes down to giving the people what they want. Reporting Mistakes - I agree that we need to be forthcoming about where security has failed. I don't get First, talking about the exact way to exploit an 0day makes it easier for more people to exploit it. Learning of a 0Day exploit, and the details, gives us a fighting chance to defend ourselves. I think there has to be some quiet time if you want to involved the vendor, then you gotta tell people. It also depends on the nature of the 0day, maybe the vendor won't listen, or maybe its 0Day in the DNS protocol. James Bond's Dry Erase Marker: The Hotel PenTest Pen - SpiderLabs Anterior - This is just way too super cool, best usage of Arduino and Dry Erase marker EVER (maybe the only usage of the two together). HP Communities - CISO Concerns - Security vs. Usability - CISOs love to bat around terms like security, usability, compliance, affordability, ROI, etc... These are fine, in the right context, but lets not forget, you have the word security in your title, and at some level you have to prevent people from getting pwned. Sometimes I think we lose site of that.

Daniel Suarez – Episode 304 – October 11, 2012

Interview Daniel Suarez

Daemon and Freedom were fairly epic. How difficult was it to begin Kill Decision knowing that you had a gang of fans with such high expectations for your next book? Tell us about Kill Decision There was a fair amount of drone usage in FreedomTM). Was there a particular event or news story which inspired you to concentrate on drone warfare for Kill Decision? What was the germination like for Kill Decision? Was it formulated before or after Daemon and Freedom(TM) What kind of research did you do to get the drone hardware to be realistic in the book? In a recent interview, you indicated that technology was being siphoned out of high tech meccas into other parts of the world via both Globalization as well as good old fashioned Espionage. Do you think, at least for the US, we're past the point of no return when it comes to ensuring that we're not giving away our intellectual property when we farm out our manufacturing overseas? Similar to the above, one of the warnings in Freedom(TM) appeared to be that a nation has to safeguard its food sources - not to be complacent about the importance of being able to grow your own food to feed its citizens. Do you feel that the government is aware of this issue or that more needs to be done? Where do you see the future of drone warfare going? Since the book has been published, have you been given any additional information concerning how close we are to the reality seen in Kill Decision? There was one term which we're told gives a lot of writers "grief": making love. How tough was the love scene to write in Kill Decision? :)

Unstructured Data into Identity & Access Governance

I've written before about the gap in identity and access management solutions related to unstructured data.

When I define unstructured data to people in the Identity Management space, I think the key distinguishing characteristic is that there is no entitlement store with which an IAM or IAG solution can connect to gather entitlement information. 

On File Systems, for example, the entitlements are distributed across shares & folders, inherited through the file tree structure, applied through group memberships that may be many levels deep, and there's no common security model to make sense of it.

STEALTHbits has the best scanner in the industry (I've seen it go head-to-head in POC's) to gather users, groups, and permissions across unstructured data environments and the most flexible ability to perform analysis that (1) uncovers high-risk conditions (such as open file shares, unused permissions, admin snooping, and more), (2) identifies content owners, and (3) makes it very simple to consume information on entitlements (by user, by group, or by resource).

It's a gap in the identity management landscape and it's beginning to show up on customer agendas. Let us know if we can help. Now, here's a pretty picture:

STEALTHbits adds unstructured data into IAM and IAG solutions.