Re: [SC-L] informIT: Modern Malware

2011-03-27 Thread Gary McGraw
The good old dancing pigs rear their oinking heads...

http://en.wikipedia.org/wiki/Dancing_pigs
http://securingjava.com/

gem

On 3/26/11 2:04 PM, Kevin W. Wall kevin.w.w...@gmail.com wrote:

On 03/26/2011 01:12 PM, Gunnar Peterson wrote:
 Advanced = goes through firewall
 Persistent = tried more than once
 Threat = people trying to get into valuable stuff
 
 Nothing new to sc-l readers, but a Reasonably good marketing term esp
by infosec standards (yay we get to scare business people with something
other than an auditor's clipboard!); really its all just the collective
sound of infrastructure security people coming to grips with the fact
that their firewall isn't a wall at all, but rather a series of holes.

Uh..., doesn't *most* of malware go through firewalls now days? So how is
that
advanced?

In reality, advanced a used with APT means that malware that was clever
enough to evade our normal AV defenses and socially engineer its way past
the common sense of those humans who wanted to see the dancing pigs.

In short, APT is spin-doctoring for getting caught with ones pants down.

-kevin
-- 
Kevin W. Wall
The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents.-- Nathaniel Borenstein, co-creator of MIME
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-26 Thread iarce
On 3/22/11 12:41 PM, Gary McGraw wrote:
 hi sc-l,
 
 The tie between malware (think zeus and stuxnet) and broken software
 of the sort we work hard on fixing is difficult for some parts of the
 market to fathom.  I think it's simple: software riddled with bugs
 and flaws leads directly to the malware problem.   

Non sequitur

C'mon Gary, I understand the purpose of making such a simplifying
statement on the secure coding mailing list but its logic is untainable.

Bugs and flaws do not *directly* lead to malware, not even if you
defined bugs and flaws in a way that would nearly make your statement a
tautology (ie. a bug|flaw is something that proves the existence of
malware possible)

What leads directly to the malware problem are the individuals and
organizations that develop and deploy malicious software. The fact that
they usually use undocumented APIs (what you call bugs and flaws) for
their purpose does not make those APIs the cause of the malware.

You could statically-analyze and SDLCfy all software till kingdom come
and that will still not prevent large consumer electronics or firmware
vendors from developing and shipping their own breed of malware with
their products.

Advocating development of secure software by Building Security In is a
commendable position but in my opinion it is only a necessary
component of a long term solution. I think that a long term solution
also requires us to stop dancing around the issue of abusive EULAs, the
lack of vendor liability and to factor in the adversary's motivations
and incentives.

I realize the above remark may lead to a discussion that is off topic
for this mailing list so I'll turn  to the last paragraph of your article:

 Fortunately, many leading firms, including Adobe and Microsoft, are
 taking a determined approach to software security and real results
 are coming in the form of more secure software and less vulnerability
 to malicious code.

How do you measure software security? You say real results, more
secure and less vulnerable but this may just be a highly subjective
assessment about the success of the approach of some specific vendors.

One could also say that despise some vendors' determined approach to
software security a decade and hundreth-million dollars into the process
they've still not made a dent to the malware problem so how does that
make their current software more secure|less vulnerable in practical terms?

-ivan
-- 
Ivan Arce
CTO - Core Security Technologies
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-26 Thread Gary McGraw
hi mh,

I agree that the APT term is overused by the marketing types.  In this
case you can translate it as malware that infects a server or an ad
network and is served up to unwitting victims in a drive by download.
Neil, anything to add?

What would you call it haroon?

gem

On 3/26/11 8:14 AM, Haroon Meer har...@thinkst.com wrote:

Hi

On Wed, Mar 23, 2011 at 5:14 PM, Gary McGraw g...@cigital.com wrote:
 Dasient protects the server side of the APT problem
 (especially when it comes to bad ads)

Arguing over  semantics and loosely defined terms is a recipe for a
circular flame-thread, but this statement seems wrong on many levels.

I know every vendor (and his cousin who is currently thinking of
starting a business) is claiming to defend against APT, but this seems
like horrible buzzword misuse.

/mh
-- 
Haroon Meerhttp://thinkst.com/
Tel: +27 83 786 6637PGP: http://thinkst.com/pgp/haroon.txt

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-26 Thread Haroon Meer
Heya Gary (all)

On Sat, Mar 26, 2011 at 3:32 PM, Gary McGraw g...@cigital.com wrote:
 I agree that the APT term is overused by the marketing types.  In this
 case you can translate it as malware that infects a server or an ad
 network and is served up to unwitting victims in a drive by download.

Malware distributors look for good distribution channels, and the
ad-server provides one.
While it is a Threat, it's no more Advanced than we have seen before.
It isn't more Persistant than Stoned [1] was on a disk.

 What would you call it haroon?

In truth, i would avoid giving it a new name.
Drive by download: Yes. APT: No

/mh

[1] http://en.wikipedia.org/wiki/Stoned_(computer_virus)

-- 
Haroon Meer | Thinkst Applied Research
http://thinkst.com/pgp/haroon.txt
Tel: +27 83 786 6637

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-26 Thread Gary McGraw
Agreed.  

Now all you need to do is convince the people who need to solve the
problem that you have a pointer for them to use without a label??  The
market (probably because of the marketing types) is discussing and wanting
solutions for the APT problem. To see how embedded this language is in
the current discourse, look no further than the RSA SecureID problem
explanation that is being proffered in lieu of a real technical
explanation of what happened.

Welcome to commercial security.

gem

On 3/26/11 9:52 AM, Haroon Meer har...@thinkst.com wrote:

Heya Gary (all)

On Sat, Mar 26, 2011 at 3:32 PM, Gary McGraw g...@cigital.com wrote:
 I agree that the APT term is overused by the marketing types.  In this
 case you can translate it as malware that infects a server or an ad
 network and is served up to unwitting victims in a drive by download.

Malware distributors look for good distribution channels, and the
ad-server provides one.
While it is a Threat, it's no more Advanced than we have seen before.
It isn't more Persistant than Stoned [1] was on a disk.

 What would you call it haroon?

In truth, i would avoid giving it a new name.
Drive by download: Yes. APT: No

/mh

[1] http://en.wikipedia.org/wiki/Stoned_(computer_virus)

-- 
Haroon Meer | Thinkst Applied Research
http://thinkst.com/pgp/haroon.txt
Tel: +27 83 786 6637


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-26 Thread Gunnar Peterson
Advanced = goes through firewall
Persistent = tried more than once
Threat = people trying to get into valuable stuff

Nothing new to sc-l readers, but a Reasonably good marketing term esp by 
infosec standards (yay we get to scare business people with something other 
than an auditor's clipboard!); really its all just the collective sound of 
infrastructure security people coming to grips with the fact that their 
firewall isn't a wall at all, but rather a series of holes.

-gunnar



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-26 Thread John Wilander
A positive side effect of many vendors being US-based is that the US market 
takes most of the buzzword marketing hit. :)

On a more serious note, I think there really are APTs out there, state-driven 
and all. The problem is when organizations use the term to get away with 
sub-standard security or to motivate why they can't tell you any details of a 
recent hack.

We need to define what is required for a threat/an attack to be APT. 
State-driven and funded? 0-day(s) used? Tailor-made exploit for the target? 
That way we can at least interpret what RSA and others are saying. Right now I 
can only interpret their statements as We got owned but we'll loose too much 
business if we tell you what happened. Just trust us instead. And I really 
hope that's not the truth.

Continued Business by Obscurity

   Regards, John


Sent from my iPad

On 26 mar 2011, at 18:12, Gunnar Peterson gun...@arctecgroup.net wrote:

 Advanced = goes through firewall
 Persistent = tried more than once
 Threat = people trying to get into valuable stuff
 
 Nothing new to sc-l readers, but a Reasonably good marketing term esp by 
 infosec standards (yay we get to scare business people with something other 
 than an auditor's clipboard!); really its all just the collective sound of 
 infrastructure security people coming to grips with the fact that their 
 firewall isn't a wall at all, but rather a series of holes.
 
 -gunnar
 
 
 
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-26 Thread Kevin W. Wall
On 03/26/2011 01:12 PM, Gunnar Peterson wrote:
 Advanced = goes through firewall
 Persistent = tried more than once
 Threat = people trying to get into valuable stuff
 
 Nothing new to sc-l readers, but a Reasonably good marketing term esp by 
 infosec standards (yay we get to scare business people with something other 
 than an auditor's clipboard!); really its all just the collective sound of 
 infrastructure security people coming to grips with the fact that their 
 firewall isn't a wall at all, but rather a series of holes.

Uh..., doesn't *most* of malware go through firewalls now days? So how is that
advanced?

In reality, advanced a used with APT means that malware that was clever
enough to evade our normal AV defenses and socially engineer its way past
the common sense of those humans who wanted to see the dancing pigs.

In short, APT is spin-doctoring for getting caught with ones pants down.

-kevin
-- 
Kevin W. Wall
The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents.-- Nathaniel Borenstein, co-creator of MIME
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-26 Thread AK
Hi everyone,

Assuming that are we missing DEP and assorted userland exploit
mitigations for the web is not a rhetorical question, indeed assorted
technologies based on randomized instruction sets have been researched
and I have seen PoC solutions circa 2004 (SQLi) and more recently for
XSS. [1] is a nice starting point, as I am in somewhat of a hurry to
locate the papers/PoCs now.

Obviously, if that was a rhetorical question, :)

[1] http://www.cs.columbia.edu/~angelos/cv.html
On 03/26/2011 09:12 PM, Arian J. Evans wrote:
 [SNIP]
 And why is that? Are we missing DEP and SEHOP and such for the web?

 Or is the web, the browser, and userland malware just where the easy
 money is, so the attackers focus there?

 ---
 Arian Evans
 Software Security Realism

-- 
-- thanasisk

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-23 Thread Andy Steingruebl
On Tue, Mar 22, 2011 at 8:41 AM, Gary McGraw g...@cigital.com wrote:
 hi sc-l,

 The tie between malware (think zeus and stuxnet) and broken software of the 
 sort we work hard on fixing is difficult for some parts of the market to 
 fathom.  I think it's simple: software riddled with bugs and flaws leads 
 directly to the malware problem.   No, you don't use static analysis to find 
 malware as the ATT guys sometimes think…you use it to find the kinds of 
 bugs that malware exploits to get a toehold on target servers.  One level 
 removed, but a clear causal effect.

Gary,

Interestingly, your article only covers malware that gets installed by
exploiting a technical vulnerability, not malware that gets installed
by exploiting a human vulnerability (social engineering).  I've been
looking around and haven't found much data on infection rates,
percentages, success rates, etc. but voluntarily installed malware
is a significant and growing concern, and it requires an entirely
different approach than that required for malware that exploits a
technical vuln.

Thoughts?

- Andy

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-23 Thread Gary McGraw
hi andy,

If you read the article again, I think you'll find that the solutions
offered by both Invincea and Dasient work regardless of whether the
malware is installed through broken software or through social
engineering. Dasient protects the server side of the APT problem
(especially when it comes to bad ads), and Invincea wraps the browser (or
the Adobe product) in an instrumented and transparent VM.

I agree that clueless users who click on whatever pops up lead to many
infections even when software is is reasonable shape, but I don't see that
as a reason not to build better software.  Presumably, you guys at paypal
agree.  Right?

gem

On 3/22/11 7:57 PM, Andy Steingruebl stein...@gmail.com wrote:

On Tue, Mar 22, 2011 at 8:41 AM, Gary McGraw g...@cigital.com wrote:
 hi sc-l,

 The tie between malware (think zeus and stuxnet) and broken software of
the sort we work hard on fixing is difficult for some parts of the
market to fathom.  I think it's simple: software riddled with bugs and
flaws leads directly to the malware problem.   No, you don't use static
analysis to find malware as the ATT guys sometimes thinkŠyou use it
to find the kinds of bugs that malware exploits to get a toehold on
target servers.  One level removed, but a clear causal effect.

Gary,

Interestingly, your article only covers malware that gets installed by
exploiting a technical vulnerability, not malware that gets installed
by exploiting a human vulnerability (social engineering).  I've been
looking around and haven't found much data on infection rates,
percentages, success rates, etc. but voluntarily installed malware
is a significant and growing concern, and it requires an entirely
different approach than that required for malware that exploits a
technical vuln.

Thoughts?

- Andy


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-23 Thread Martin Gilje Jaatun

On 2011-03-23 00:57, Andy Steingruebl wrote:

On Tue, Mar 22, 2011 at 8:41 AM, Gary McGrawg...@cigital.com  wrote:

[...]

malware as the ATT guys sometimes think…you use it to find the kinds of bugs 
that malware exploits to get a toehold on target servers.  One level removed, but a 
clear causal effect.

Interestingly, your article only covers malware that gets installed by
exploiting a technical vulnerability, not malware that gets installed
by exploiting a human vulnerability (social engineering).  I've been

[...]

As someone once said: Idiot-proofing is difficult because the idiots are 
so ingenious...


I'm not sure if we really can protect ourselves against stupid users 
through secure coding. Marcus Ranum opined 5 years ago that even 
educating users is pointless, opting for some way of punishing them 
instead:
http://www.ranum.com/security/computer_security/editorials/point-counterpoint/users.html 



Can we idiot-proof computer systems without crippling them for the rest 
of us?


-Martin
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] informIT: Modern Malware

2011-03-23 Thread Andy Steingruebl
On Wed, Mar 23, 2011 at 8:14 AM, Gary McGraw g...@cigital.com wrote:

 I agree that clueless users who click on whatever pops up lead to many
 infections even when software is is reasonable shape, but I don't see that
 as a reason not to build better software.  Presumably, you guys at paypal
 agree.  Right?

First, I tend to use my personal email here rather than work one, so
don't assume I speak for them ever, and especially not when I use my
own email :)

Second, I totally agree on making endpoints more resilient against
malware, increasing software security, etc.  I've noticed however that
we (many of us, especially those with a user-rights bent) end up with
two competing goals in this space:

1. Make endpoints resilient against malware
2. Allow users to have complete control of their own computer, aka, no
walled gardens.

These two competing desires make defeating malware especially
problematic.  Lots of malware exploits technical flaws, and increasing
our software security practices will help defeat these.  As these
defenses get better, malware moves towards social engineering, and
we're ill-equipped to defend against these as there are more and more
software distribution channels, and policing gets harder.  Hence the
traditional AV-signature based approaches, which are only
semi-effective, especially when the Rogue-AV software even has a
human-staffed helpdesk to help you remove your actual AV and replace
it with theirs.

All the systems we've come up with so far to defeat this involve
walled gardens, heuristics looking for bad behavior, etc. and they are
all sort of a band aid.

Your article started out saying - At the same time, software
complexity, including the notion of extensibility designed into
virtual machines like the Java Virtual Machine (JVM), leads to serious
and widespread software vulnerability that lies at the root of the
malware problem..

It is this statement that I'm wary of, as it doesn't take into account
the non-vulnerability aspects of the problem.  If we ignore those and
only focus on drive-by malware, we're quickly going to find that the
attackers have shifted their focus, and our purely technical controls
are ineffective.

Neil makes a good point on this thread about how Dasient, and other
providers, can help, and there are also some client-side techniques
that are useful.  So is Apple's curated app-store.  It isn't perfect,
but the curated model along with swift revocation is a fairly
effective defense against mass-infection, but not targeted infection.

No real conclusions here I suppose, but I thought it useful to
highlight some of the inherent tensions.

- Andy

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] informIT: Modern Malware

2011-03-22 Thread Gary McGraw
hi sc-l,

The tie between malware (think zeus and stuxnet) and broken software of the 
sort we work hard on fixing is difficult for some parts of the market to 
fathom.  I think it's simple: software riddled with bugs and flaws leads 
directly to the malware problem.   No, you don't use static analysis to find 
malware as the ATT guys sometimes think…you use it to find the kinds of bugs 
that malware exploits to get a toehold on target servers.  One level removed, 
but a clear causal effect.

Malware is something Cigital has been thinking and writing about for many 
years.  This month's informIT column takes a walk down memory lane and then 
fast forwards to today.

Modern Malwarehttp://www.informit.com/articles/article.aspx?p=1695979 (March 
22, 2011)

This month's article is the latest in a series I have been publishing for over 
5 years.  You can find all of the articles here: 
http://www.cigital.com/~gem/writings/

Incidentally, a Justice League blog entry featuring the malware article also 
includes a pointer to a video produced by Dasient about the malware problem.  
See http://www.cigital.com/justiceleague/

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___