How do you respond when a moose is on the loose?

What would you do if you discovered that attackers had taken over your server and were in the process of stealing all your data?

What would you do if law enforcement came to your place of work and demanded all of your computers as part of an investigation?

What would you do if a tornado hit your building and spread all of your computers across a mile-wide radius?

If you are like most organizations, you don’t have a plan for everything. You can think of security (in an over-simplified way) of having three areas of control: Detective, Preventative and Reactive. We tend to start with Detective. When antivirus was new, it just alerted you when you had a problem. As the technology improved, it became preventative and would stop bad applications from running. Most security technology, in fact, has followed this pattern. Intrusion Detection moved to Intrusion Prevention. Patch Detection moved to Patch Management. Log Analysis moved to full-fledged SEIM systems.

However, this progression ignores a very powerful tool. As an example, here’s a video:

What would you do if you woke up one morning to find a moose in your swingset? Odds are you’d either deal with it yourself or call someone to deal with it for you. Response is key. When things happen, whether it involves an attacker taking over a system, an external agency taking your stuff or a natural disaster, reacting to the situation is important. You can either do it in an ad hoc way, or try to plan everything out.

In general, organizations that trust their people, just let their people do what they need to do. Organizations that do not trust their people, invest in planning and procedures. What’s interesting is that both methods work… though not always particularly well. Sometimes people hide behind policy and avoid doing the right thing. Sometimes, people hide behind uncertainty and avoid doing the right thing.

The problem here is that “right” and “wrong” are not always clear cut. Consider recent occurrences involving United Airlines, Penn State and FedEx. A reasonable response to events like these would be “we can’t trust our people,” and to address the issue by creating policies.

But, for an even more horrifying view of the world, check out this Google News search on “followed policy.” A wider search on this shows that people who follow policy result in death, brain death and murder suspects being released.

So it would seem that this is a “damned if you do, damned if you don’t” situation, right?

It turns out to err is human… but human error can happen whether or not we are constrained by policy. Using policy to prevent bad things from happening requires not only that you have people who will always follow the policy, but also that you have policies that are 100% correct and written by people who can see the future. Perhaps a better approach would be to use policies as guides that people can refer to when they’re confused. Then, build a culture around the fact it’s okay to make mistakes so long as you’re willing to apologize, attempt to fix things and learn from your error.

Not everything can be avoided. Sometimes you just have to deal.

More on the moose is here.

July Updates and Patch Report

After a lovely week off, I am now back in the country and reviewing what happened in the security world while I was gone. To my shock, the answer is… not much. This is probably the first vacation I’ve had in years when the bad guys took a break too.

Did interesting things happen last week? Of course they did. For example, I got to pet two otter cubs, take photos of venomous reptiles without protective glass and hold a grey fox in my lap. However on the security front, we’ve got a few updates here and there, and that’s about it. Sure, there’s news that various attackers have gotten incrementally better at this or that, but that’s not really news. That’s just what they do. Of course, since that’s what they do, it really should be what you do as well. However, that’s well off topic for this post.


We finally have an update to the MSXML problem. That is unless you run version 5.0, but who’d do a silly thing like that? The problem affecting Visual Basic DLLs is also addressed. Both of these issues are being actively exploited, so you should apply those patches immediately.

The patches also include critical issues on servers and workstations that involve Internet Explorer, TLS encryption flaws and file and directory name handling. Luckily, it doesn’t look like any of these patches are likely to cause problems, so you should probably just apply them.

Unless of course you’re running MSXML 5.0 … then you should probably replace with version 6.0.

More on these issues can be found at the SANS ISC Blog

Bonus Time

We gained an extra second last week. How did you spend yours?

If you were like some of our software/service vendors out there, you spent it crashing. This shows, yet again, that time is hard to deal with. There’s not much you can do about that, other than be aware that time isn’t as linear as we’d like, and things like leap seconds, leap years, time zone changes and such can wreak havoc on our systems.

Your best protection is to understand your extended business network better. Use a time management system internally and set it to alert you if systems start to drift. Map out how your service vendors affect your business so you can easily identify when being down is on their side as opposed to yours (I test off my cell phone, so all traffic follows an isolated path).

Basically, the more you understand how information flows through your business, the better you can identify what causes that flow to fail.


Turns out Android has malware. This is probably news if your last phone was a Motorola DynaTAC. So, for those of you just now catching up, here’s the deal: phones are computers now. If you don’t treat your phone like a computer, bad things are going to happen. Use encryption, strong passwords, anti-malware and don’t go installing stupid stuff on it.

In fact, phones are bad computers! Much of the malware that runs on phones comes from applications that are, shall we say, somewhat adult in nature. Perhaps it would be better if, instead of viewing such material on a screen smaller than a mouse, people use that mouse and view it on real computer running real protections.

If you do that, you can ignore all the “OMG! Android has Malwares!!!!11!!” articles that come out over the next year.


There is a new WordPress update out. If you’re running WordPress, install it ASAP. You can get it here, or just update it from within your dashboard. However, a caveat first. WordPress, as a platform, is great. You can post things quickly and easily. I use it all the time, myself.

But … and it’s a big but … the risk to using WordPress grows with each plugin that you install. It grows with the number of people who have the ability to post. Many site compromises occur because people host multiple sites with a large hosting company and if any one of them gets compromised, the attackers can bounce to other sites and take those over as well. Thus, if you’re running WordPress, keep all sites up-to-date, make sure all users have decent passwords and use a plugin like Exploit Scanner to check that things are set up right.

If you need help reading the results of Exploit Scanner, we’d be glad to lend a hand. Really, it’s pretty easy to secure WordPress, so it’s not that expensive to get a bit of professional help.

Microsoft XML Attack

Though we were notified last week that there was a problem with Microsoft’s XML implementation, news broke this weekend that it is now being actively exploited.

In response, Microsoft has released an emergency fix. This is not a patch, but rather a tool that temporarily hardens a workstation against an XML attack. Microsoft does this to help limit attacks while it works with vendors in the Microsoft Active Protections Program (MAPP) to build more robust detection and prevention capabilities to protect unpatched systems. Then, when the patches do come out, the problem will be considered officially resolved. Patches should be out by July 10th, if not sooner.

So, what should you do?

First, if you are running Sophos, Sourcefire or Alert Logic technology, trust your vendor.  They are all in the MAPP and so will have decent protections soon.  If, however, you are using a vendor that is not in the program, you should apply the fix to all Windows workstations that use Internet Explorer to browse the web. The fix is available here.  Just scroll down and click on the button under “Apply.”  When the patches are available, deploy them as soon as possible.

For more details, please see Microsoft’s security advisory.

June Updates and Patch Report

It’s “Patch Tuesday” week again, so let’s summarize several of the more important updates and patches.


Did you know there were two sets up updates this month? The normal Tuesday updates came out as expected, but before that, there was a special update to make sure this week’s updates were trustworthy. What happened is that Flame made the news and a part of the malware was designed to take advantage of a flaw with Microsoft certificates. So, to fix it, Microsoft had to release an update… but since that certificate was part of the update process, it had to be released early.

If you did not apply the update when it first came out, you’ll probably be okay. However, this is yet another example of why it’s important to stay on top of these. If you fall behind, not only are you unprotected against current threats, but you also cannot trust the updates that are waiting in the wings. If you are worried about falling behind, it may be time to consider patch management software.

The second round included updates for Remote Desktop, Internet Explorer and .Net. The IE one is being exploited, so update your workstations and laptops ASAP. Also, if you are one of the many companies exposing Remote Desktop to the internet, this is a very good example as to why that isn’t the best strategy. The flaw made public this week allows people to access those systems without logging in. If you are accessing RDP directly over the internet, it’s time to stop. There are some extremely simple and cost effective (some even free) VPN solutions out there. Please use them.

More details are here and here.

The Always-Expanding Hack List

If you regularly use LinkedIn,, Twitter and/or eHarmony, it’s time to change your passwords. It’s also time to trust the users of those sites a little bit less. When a password breach occurs, not only is your data at risk, but so are all of your social connections. If one of your friends had a weak password, someone could log into their account and view all the information you share with them. While there’s nothing we can do directly in response to these attacks other than change our passwords, we really need to start putting more pressure on these sites to ensure they are protecting our data with better than minimal standards. If you are in the position of storing customer data, you might want to review your own processes, too. It’d be better to do that before a breach.


Adobe has released an update for … ColdFusion. If you’re not using ColdFusion, you don’t have to worry about Adobe patches this month. Also, if you’re running ColdFusion 10, you’re good. Kind of a shocker, I know.

If you’re running an older version of ColdFusion, read the details here.


It’s out … it’s finally out!  If you’re running vSphere 5, you can read the hardening guide.  This is a guide to both hardening AND assessing VMware infrastructures. Basically, all the auditors now have guidance, so expect them to get more annoying about it. Also, expect your assessors to have more documentation backing up why certain changes should be made. A good plan would be to actually make them! It’s usually going to make sense for you and the time you spend arguing would be better spent fixing issues.

I know that making some changes to a virtual environment can affect a lot of servers, but guess what happens if a flaw in your system is abused? I am firmly of the mind that a planned outage is much better than an unplanned one. Please harden your infrastructure.


Sadly, Apple did not release an IOS hardening guide. Instead, they just lifted the curtain a little bit and gave us a peek inside with the IOS security specs. If you are writing policies around mobile devices and have to support Apple, you should probably read this. It will also help you assess MDM solutions.


If you’re running PHP, you should know it’s being attacked.  Keep it updated and if you can, seriously consider layering PHP-Suhosin, Mod_Security2 and AppArmor around it. PHP is good for developers, but it’s also good for attackers. If you want to use it for the former, you have to accept the risk from the latter.


Please excuse the tech speak here. If you are running MySQL and it was compiled with GCC using SSE, people can likely log into your system with the wrong password. Details are here. This issue is known to affect Ubuntu 64bit, OpenSUSE 64bit, Debian Unstable 64bit, Fedora and Arch Linux. Luckily, the more commonly used Ubuntu 32bit, Red Hat Enterprise Linux and the official binaries from MySQL are not affected.

In general, you should apply the patch immediately when available. You should also only expose your MySQL interface to the applications that need them and to the DBA’s network. Most real world problems involving this vulnerability involve people who chose to make MySQL accessible over the internet. Like RDP, there are almost no good reasons to do this … so don’t.

Flame on!

The security world exploded this week with news of a new piece of malware found in Iran. It’s been a very long time since we’ve seen an unfounded panic of this magnitude in our industry. Phrases like “most advanced malware,” “super-weapon” and “new era in cyberwar” are being thrown around like confetti. Let’s take a bit of a reality check.

Calm Down

1) Are you in the Middle East?

If not, relax. Evidence suggests the malware is focused on the Middle East … likely either Iran or Israel. While malware does spread quickly, highly-targeted malware focused on information theft does not. After all, if it did, the people running the systems wouldn’t be able to use the information they get. There would simply be too much of it.

2) Have you updated your systems in the last two years?

If so, relax. While the news is new, it appears this malware was released in 2007. Modern malware is capable of attacking along numerous vectors, so simply patching may not be enough, but if you’re monitoring your systems properly, you probably would have noticed it by now.

3) Are you profoundly unlucky?

If not, relax. The Kaspersky report that has been widely cited lists the following infection counts: Iran – 189, Israel/Palestine – 98, Sudan – 32, Syria – 30, Lebanon – 18, Saudi Arabia – 10, Egypt – 5. This means that, as of May 28th… after Flame has been out for five years… it has infected 382 systems. In 2010, there were about five billion devices connected to the Internet (probably more now). So your odds of being infected are likely less than 0.0000076%. You are 22 times more likely to be struck by lightning than you are to get infected by Flame.

4) Are you a nation state?

If so, thank you! Most geopolitical entities don’t read my blog. If not, relax. Cyberwar is unlikely to affect you. The goals of Cyberwar are to steal critical intellectual property, identify what other nation states are up to and interfere with the capabilities of other nation states. The only one that really drifts into the private sector is the theft of intellectual property, which can be protected pretty easily.

Big Deal

So why are people making such a big deal out of this? Well, the first thing to consider would be who exactly is promoting this and how they’re doing it.

First, you have what I call “set it and forget it AV” companies. Kaspersky and Symantec were among the first to bring this news out. This shouldn’t come as a shock to anyone, as they make a lot of sales when a malware attack makes its way to the mainstream news. This is too bad, as both of these firms tend to perform excellent technical analysis and it’s sad to see their research skewed into a FUD campaign.

Next, you have the response to these sorts of firms by the vendors that focus on analysis and response. Take at look at these responses by Sophos and Sourcefire. These two firms make their money selling tools that allow a competent administrator to get more done by leveraging analytics and determining appropriate responses.

Then you have a slew of mainstream media articles that reference “cyber security experts” (who often have nothing to do with malware) to comment on the issue. I’ve seen and heard quotes from people who do development security, physical security and governmental policy … which seems to be nothing more than a reporter needing a quick quote to get into the news cycle.

Finally, you have a bunch of individual posts (like this one) of individuals trying to catch the “Flame Wave” and boost SEO ratings. (Hiya Google, how you doin?) Basically, everyone has a reason behind their actions. Before you start tossing money around to make the scary go away, stop for a minute and think.

What To Do

The first thing you should do is, as I stated above, relax a bit. Snap decisions are seldom the ones you want to make. Think about what advanced malware can do and how it gets in. Here are the facts.

Protecting against Flame is EXACTLY like protecting against other malware. Nothing in Flame is technologically new.

Modern malware targets data and takes advantage of missing patches. If you don’t know the Who, What, Where, How and Why of your data, you can’t control it. If you aren’t maintaining your operating systems and the applications that run on them, you are at risk. Also, if your users are running as local administrators, there’s not much you can do.

Modern malware does a lot of really neat things too, like infect smart phones, hide its tracks, punitively wipe systems if you tamper with it. Heck, for all I know, it’s also responsible for using the last piece of toilet paper and not replacing the roll. However, if you are letting your users run with administrative permissions AND you’re not patching your systems AND you don’t understand your data, this isn’t going to matter.

Basically, you have to walk before you run … and before you walk, you have understand how. Most organizations that I work with are still at the crawling stage. If you cannot answer “Yes” to each of the following questions, don’t even think about Flame/Duqu/Stuxnet/BoogaThreat. Focus on getting your own house in order first.

1) I know exactly where all my data is.
2) I know that I need all of the data I have.
3) I have classified the data I have according to criticality.
4) I have implemented technology to detect and respond to data as it crosses security zones.
5) I am completely confident that all my operating systems are up to date.
6) I understand each application in my environment, why it is there and am certain that it is up to date.
7) None of my users are using administrative permissions as part of their daily work.
8 ) I have installed and am maintaining a modern anti-malware stack or application whitelisting solution on each system on my network.
9) I have installed and am maintaining an intrusion detection solution on my network.
10) I pay attention to the alerts from all of my awareness systems and respond appropriately.

If you’ve answered “No” to any of these, that’s where you have to focus. If you have trouble, let me know. I’m always here to help.