Network Security Blog

I’m not an expert on web application firewalls, which is why I’m asking for feedback on the Mykonos Security Appliance.  I was given a demo of the product at the RSA Conference this year and it’s one of the few products I’ve seen lately that’s doing something new and innovative.  Or more accurately, it appears to be doing something new and innovative; it’s still in beta and this is a technology that’s outside my comfort zone.  If you’re someone with an expertise in WAF’s, it should be worth at least a short look.

In a lot of ways, Mykonos appears to be a standard WAF; it can be used to protect your site from many of the standard coding errors that a WAF is designed to deal with.  It addresses the OWASP Top 10, it has all the reporting capabilities to tell you something’s wrong; in this area it doesn’t appear to have a lot of extra punch you can’t get elsewhere.  The place it does start to have some distinguishing capabilities is in the tracking, categorizing and response to malicious attacks on your web site.

You want to know more about who’s probing your web site?  Mykonos will dynamically modify the code your site is serving to get you more information on who’s attacking.  It’ll tell you about the level of sophistication of the attacker, whether they’re just trying to manipulate a price in the shopping cart, if they’re trying a SQL injection attack or if they’re working on something at the higher end of the attack scale.  And it gives you a lot of choices about how you want to respond; simply block the user, send custom code telling them they’ve been identified and logged or act as a honeypot to get even more information about the attacker and how he’s planning on attacking your site.  The tracking and information gathering abilities seem to be pretty impressive and it may be worth looking at for that alone.

Mykonos looks like more than a plain vanilla web application firewall and the downside to that is it requires more work from the administrator and more work from your developers to make full use of it’s capabilities.  This also means it’s potential for becoming shelfware is much greater as well.  But if you’re looking for more than what a standard WAF offers, it might be worth looking at this product.  And once you do, I’d appreciate feedback on your impression of the product.  Is Mykonos a potential new product market, a single product with greater capabilities or just a flash in the pan that won’t amount to much?

One of the things I don’t believe we see enough of in the security field is independent testing.  Vendors of all stripes make claims about what their products do, and without independent testing it’s hard to tell if they’re the cream of the crop or a bad apple.  ICSA Labs is one of the few companies that do the sort of testing that’s needed to provide the information to tell the two extremes apart.  I took a few minutes to sit down with Andy Hayter of ICSA Labs to talk about anti-virus testing, education of consumers and a new initiative to use the testing ICSA does in the real world.  For the sake of transparency, ICSA is a part of Verizon, the company I work for as well.

NSP-RSAC2010-ICSALabs.mp3

I finally had the time to sit down and read the NSS Labs Web Browser Security Phishing Protection paper this morning. This paper is a test of the more popular browsers in use today and how well the reputation based systems they’ve built work to protect users against phishing attempts by malicious sites.  The big winners in the test were Firefox 3 (not 3.5) and IE8, which almost tied at 80% and 83% accuracy for blocking phishing sites.  Given that the study quotes a margin of error of 3.6%, the two browsers are equal for most intents and purposes.  The big loser of the test was Safari 4, which only had a 2% blocking rate for malicious sites.  I hope Safari on my iPhone is better than it is on my Macbook, or at least that there are less phishing sites targeting the iPhone.

It’s very interesting that Firefox 3, Chrome 2 and Safari 4 all use Google’s Safebrowsing data feed but have very different results from the same data.  Chrome 2 only had a 16% success rate in blocking, compared with Firefox 3 at 80% and Safari 4 at 2%.  So why the big difference between the three browsers running off of the same information?  NSS Labs doesn’t offer an explanation and apparently none of the developers did either, so either Firefox is pulling in a lot of additional information from somewhere or the Chrome and Safari developers have some learning to do.

What I personally found the most interesting about the paper though was that the Anti-Phishing Working Group is quoted as saying that the average phishing site only has a lifespan of approximately 52 hours.  None of the browsers really reach full effectiveness for blocking a phishing site for about 48 hours after the site has become active, therefore you’re only getting 4 hours of maximum benefits.  The long term trends look good, but it’s a little disturbing that many phishing sites are relatively undetected for at least the first 24 to 48 hours they’re live. 

I’d be curious to see how Firefox 3.5 changes this mix.  Apparently it wasn’t stable enough to be used in this test, but maybe we’ll see a new set of tests next quarter.  I’m also wondering what affect the FF plugin NoScript would have on the results.  Since NoScript isn’t strictly speaking an anti-phishing tool, I doubt NSS Labs will be testing it any time soon, but I’d like to know how much more secure it makes my web surfing experience.

Now to go back and read the Socially Engineered Malware report. 

Unless you’ve been hiding under a rock today, you’ve probably heard that Google released their own browser, Chrome. The comic book that they’ve posted with it is cool, if for no other reason than it’s illustrated by Scott McCloud. But my first reaction to Chrome is “So what?”

Yes, it has a lot of security features built in. But so do IE 7/8 and Firefox 3. I was a little disturbed when I realized that Chrome not only copied all of my bookmarks and history from FF, it also downloaded my user names and passwords. I’m less concerned that Chrome was able to do this then the fact that the passwords can be exported from Firefox at all. I need to rethink saving any of my account information to the browsers at all knowing this.

There are a lot of other people writing reviews of Chrome, so I’m going to keep it simple. After a short test run, it seems to render everything at least as well as Firefox. It’s a bit faster to load and it gives me just a touch more screen space by using the top bar for tabs rather than as just a place holder. One interesting thing is that it appears to use quite a bit of memory, but it’s using it for individual tabs as separate processes rather than one process as Firefox and IE do. This is obviously part of the virtualization and sandboxing Google promised.

I’ll be interested in reading what people have to say about Chrome over the next couple of weeks, but I think I’ll be doing the majority of my surfing in Firefox 3 for the foreseeable future. I rely too heavily on many of the add-ons in Firefox to switch easily. How are your experiences with Chrome turning out and do you see yourself moving to Chrome from your current browser?

I upgraded my secondary computers, the Mac Book Pro and the wife’s desktop, to Firefox 3 the day it came out last month, but I put off upgrading my primary system until this weekend. Why? Because I dislike a number of the default tab behaviors Firefox displays by default; they’re fine for lite browsing, but for my more serious browsing, it got to be annoying. Trying to organize show notes and organize articles for blog posts is just easier when tabs behave the way I want them too, not the way Mozilla wants them to. So I waited for Tab Mix Plus to catch up with Firefox 3. Which they’ve done, even though it’s still a ‘development’ version.

There are a few features that TMP offers that I really need. The first is opening up URL’s I type in in a new tab rather than in the current window by default. There’s probably a way to get FF3 to exhibit this behavior without TMP, but I’ve never been able to work right. Another feature is the ability to automatically reload a particular tab on a regular basis. I have a couple of stats windows I keep open that I want to reload every 15 minutes, like my blog stat and podcast stat pages. Neither of these features is absolutely necessary, but it makes my browsing experience more enjoyable.

Now to upgrade the kids computer and the other household laptop. It’s a bit scary that we’ve got more computers than people in our household. But I guess that’s part of what happens when you’re a computer geek.

NSS Labs is an independent testing lab that certifies firewalls, UTM’s and a host of other products for compliance with programs such as PCI. I had a chance to talk to Rick Moy for a few minutes and talk about the proper use of these reports.

nsp-RSA2008-RickMoy.mp3

 

 Standard Podcast [4:23m]: Play Now | Play in Popup | Download

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

According to the SFGate, the intrusion that AT&T reported earlier this week was not aimed at stealing credit card information, it was aimed at providing the raw data to allow the crackers to perform targetted phishing attacks on a massive scale.  By seeding an email with information gathered from AT&T’s database, the phishers can add a level authenticity that makes even some of the most suspicious people on the Internet accept an email as authentic.

This is just one more reason to never respond directly to any request from a merchant or bank that comes to you in the form of an email.  As always, if you think an email alert is real, open a browser window and manually type in your bank’s URL, never click on the link in the email. 

Technorati Tags: security, McKeay, AT&T, phishing

What an evil, sneaky, underhanded way to social engineer a business!  I like it!  This company took twenty USB thumb drives, seeded them liberally with malware and pictures, and left them on the ground outside the credit union they were targeting.   People fell for it, and quite frankly I can’t say I blame them.  If I found a thumb drive laying around in the parking lot, I’d probably plug it into a system to see who it belonged to myself.  Or at least I would have before I read this article. 

This was done as part of a penatration test, with the full approval of the company that was attacked.  But is it really safe for anyone to assume that the any media you find laying around was lost, not placed there on purpose?  This really would be a good way to target almost any company you might want to mention.  It’s so much safer to always assume a malicious intent and take the proper precautions than it is to assume innocence.  This is why I always get so angry when businesses talk about stolen laptops and the thieves not knowing what they have.  You have to assume malicious intent and prove that none exists, not the other way around.

Technorati Tags: security, USB drive, social engineering