Core Security Technologies

The Day the LOLcats Died

January 19th, 2012

Yesterday’s ‘technology blackout’ was a pretty profound moment for our industry. Not often do corporations align their political and policy views. There is no overarching body (like the MPAA or RIAA) that binds Facebook, Google, Wikipedia and others together, beyond maybe coffee shops on the west coast. Nor do we voluntarily black out our own revenue streams (like Wikipedia did by going dark) for small causes. SOPA and PIPA unified a very spread out industry and for the first time showed the world what it would be like if they disappeared.

People can mock Wikipedia, but where else would you go to look for a complete discography of a relatively unknown 80’s rock band? You can mock LOLcats, but deep down we’ve all indulged in that guilty pleasure. Let’s face it: web media companies are vast empires now that are pivotal to our business and social infrastructure, and when all of them yell out against something in unison, that’s something we as a society should take seriously. And, I think a lot of people have.

No one has ever said throughout this entire process that software piracy is right. It should be outlawed. When Congress drafts a law that does that (and only that) most of us will support it. But, come on… Don’t take our Wikipedia away.

PS – The Day the LOLcats Died is a brilliant SOPA/PIPA protest song on YouTube posted a few days ago. Check it out.

- Ken Pickering, Development Manager, Security Intelligence

To comment on this post, please CLICK HERE.

Posted in Government policy, Online Piracy, Regulation, Uncategorized | No Comments » | Posted by: Ken Pickering at 7:15 pm

What’s a CISO to do?

January 18th, 2012

News out of Cupertino this week regarding a network breach and the resulting stolen source code representing four major security products is enough to make any CISO go prematurely gray. We understand the fire drills involved when you have a security technology compromised. In the case of Big Yellow, here is my advice to CISOs everywhere:

Focus now on remote access and anti-virus, and layer up

Layering security technologies introduces a complex defense against a complex offense, with the former being a lot harder for an attacker to neutralize. To some, defense-in-depth means more firewall layers as opposed to a single layer at the perimeter. To me, it’s about protecting the entire IT environment – from mobile to cloud, to databases and servers – and not just the now-shaky walls that surround it; assuming you can even decide what is inside your network and what is outside.

If you think of medieval Europe, castles had moats as well as locks on their gates and high walls because even they knew one single element of defense could be overcome. If you rely exclusively on Norton anti-virus technology, plan for a deployment of at least an additional technology at some layer in your network – at least use a different vendors program to scan your web and email traffic.

My biggest concern is the loss of the pcAnywhere source code. The goal of pcAnywhere is to allow a person to access and control another machine over the network/Internet. If an attacker can determine a method by which they can take unauthorized and unauthenticated control of these machines they bypass all defensive layers, it is as though they walked into your building and sat down at your computer and simply started working.

Email traffic and web traffic are the two most common transports for viruses/malware entering a network, so those would be the areas where I would consider installing an alternative anti-virus technology. (Also, there should be fewer of them than there are users’ machines, so it should be a quicker and less-intrusive roll out). The other two areas to focus on are desktops and servers.

The more disparate anti-virus technology you have, the more likely the chance that new or evolving malware can be detected. Of course adding these layers adds more management but if any single product is no longer able to detect attacks, an easy to use management interface isn’t going to provide any value.

Stay on top of the situation

Without good information we cannot make good decisions. I would recommend customers of Symantec call their rep and ask for all the details about what has been lost, and what information Symantec knows about what the attackers are doing with this code. Repeat this step regularly when this source code loss was first disclosed the story was off code on a customers server being stolen, this week it is Semantics own network being breached.

Take a step back, and know your exposure

It is important to have a clear picture of your organization’s exposure to this risk, and develop a plan to mitigate that risk. I know it’s hard to keep up with the rapid pace of change. We advise a full assessment from the inside out and vice versa – including employee risks to information. Start with a penetration test to focus on the biggest threats first – your web applications and your end user awareness. With this knowledge in hand, you can prioritize where to focus and how to make the most significant changes, first.

- Alex Horan, CORE IMPACT Product Manager

To comment on this post, please CLICK HERE.

Posted in Assessing defenses, Attacks, AV Evasion, Best Practices, Cybercrime, Data breach incidents, Uncategorized | No Comments » | Posted by: Alex at 8:41 pm

We Are All Commanders

January 17th, 2012

I wanted to talk a little about why I (and the rest of my team) like working on our Insight product this week. There are very few times in someone’s career where they can work on something that’s technologically cutting edge AND addressing an industry need. Honestly, you’d be surprised at the sheer number of engineering projects that are exceptionally cool (and also exceptionally large failures) or that are successful, but are soul-crushing in the innovation department (in that they address a business need, but are fundamentally boring).

My team and I get to work on a product that addresses a business need, while also writing cutting edge code that is the first commercial use for a lot of the different methods we use. As we go full-tilt into development of the next version, it’s amazing seeing the excited looks on engineering faces at the new features we’re putting in. As one of the fearless leaders of our development team, it makes me feel good when someone gets a feature and we work on a design, and they can’t help but get excited about getting to work on it.

That’s what makes the Insight development crew hum. A crack engineer can sling code anywhere, even in a down market… but if what they do is very rewarding and they are part of a dynamic, growing team, that’s a clear victory.

To any of my fellow engineering whizzes who take themselves out of Eclipse long enough to read this: Good work in 2011 guys. Let’s tear up 2012, too.

- Ken Pickering, Development Manager, Security Intelligence

To comment on this post, please CLICK HERE.

Posted in CORE INSIGHT Enterprise, Uncategorized | No Comments » | Posted by: Ken Pickering at 7:20 pm

My Compulsory Year in Review

December 30th, 2011

I am contractually obligated to write a year in review post, as are most of the bloggers at this time of year. Fortuitously as I looked back over 2011 there are plenty of things to write about. As the curse goes, we lived in interesting times over the course of 2011.

Organized attacks, something us (we?) in the industry knew had been happening for quite some time became front page news when the folks behind them used the results of those attacks to publicly shame companies and try to drive their own agenda. As a result it’s become a little easier to demonstrate that security spending is not the same as setting fire to money. All this was a slight feeling of Schadenfreude as we were able to use the examples of well-known major breaches as justification for our efforts.

My point of view literally matches that of my product (Core Impact Pro). That is, the point of view of the people who spend their days concerned about how attackers might breach corporate – and in some cases national – digital boundaries and attempt to cause mischief. To further help accurately asses the level of security we released v12 of Impact where we extended our Network, Client Side, Web App, WiFi and Network Routers/Switches to also include the ability to test mobile devices.

As I type “version 12″ it makes me think beyond this one year to the entire journey of the Impact product; it has long been an exciting time developing and growing the product as the security industry has evolved and matured alongside it. Work began on Impact in 2001 (simple math: 2011 marked the 10th year of its development) and since its inception the goal has been to provide our customers with the ability to perform the same actions that attackers take when targeting a network including:

- Exploiting a buffer overflow in an exposed service

- Targeting users inside a network via email attacks

- Using SQLi and other web application vulnerabilities to pivot into a network

- Brute-forcing credentials to gain unauthorized access to systems or exploiting

- Harvesting data from mobile devices.

I did some digging to demonstrate the growth of Impact over the past few years and was impressed with the rate of the number of updates we have issued – from 82 in 2004 to almost 400 this year. By updates I mean continuous releases that include an ever-expanding library of commercial-grade exploits vs. a major release with new features and functionaility.

One of the exciting parts of living in the security space is the fact that it is not constant. If you want to take a break from the constant need to learn new techniques and paths of access to critical data - you either have to leave the industry, or join middle management. As the person looking after a key product in this space I enjoy the race to understand if the new buzz in the twittersphere is something relevant to consider adding, or simply just noise that will pass in a few days.

Just like every year since 2004 when I joined Core, this past year has reminded me once again that we are always keeping pace with the needs of the security community. I am proud of that and we will continue to do this in 2012 and remain the best destination for security testing.

- Alex Horan, CORE IMPACT Product Manager

To comment on this post, please CLICK HERE.

Posted in Attacks, Automated penetration testing, Brute force attacks, CORE IMPACT Pro, Core Security Technologies, Data breach incidents, Enterprise security testing, Exploits, Penetration testing, Phishing, The future of security, Uncategorized | No Comments » | Posted by: Alex at 4:11 pm

Drop the SOPA

December 20th, 2011

I develop intellectual property for a living, so I believe that people who do so deserve to be paid for producing it. Most developers and engineers fervently hope that they’ll get some form of payment for what they’re working on (be it monetary, or community status if Open Source). The software industry has just as much to gain and lose by piracy as the movie/film/music industries when it comes to getting adequate compensation for what we work on. So, the US Government has provided us with Stop Online Piracy Act (SOPA) as an end result of complaints from media outlets to the threat “piracy” brings to their business model.

Once again, though, the government has shown themselves to be uneducated when it comes to forming technology policy. This law has very deep impact on the Internet at large, and gives the US government the ability to regulate search and content providers who (under the mysterious clarification) are distributing or linking to copyrighted content (be it movies or even images a holder wishes to enforce). In a petition on the new White House “open government” site, a user linked an image off of Imgur that was copyrighted to show the White House was now in violation of the law they were protesting, highlighting the ludicrousness of the proposed legislature. Should the entire White House domain be blocked as a result of this now, due to the linking actions of a single user? Should Imgur? (Check out “Everybody Pirates” for a file sharing gaffe from the media industry)

And, is it much of a surprise the Representative who sponsored the legislature receives a sizable contribution each year from the industries affected?

People should be paid for their work, but not at the expense of fundamentally crippling the freedom the Internet offers. I propose we pursue these instead:

- Online sites that explicitly support piracy, not search engines and blog sites.

- Countries that don’t respect digital copy protection, instead of harming those that already do.

- People that make money off of stealing digital information, not average citizens.

The government should not have the right to a “blanket right” to remove information from a free speech forum like the Internet, with a ‘blank check’ law like this. It’s threatening some of the basic tenets of something we all use every day, with wide open wording that gives broad power to an enforcement agency. While something should be done to make sure people get paid, it should go after real criminals and not corporations and average citizens.