Not-so-secure implementations of SecureString

Archive for the ‘Blogs’ Category

Not-so-secure implementations of SecureString

Posted by Wolf Goerlich

Microsoft .Net has an object for safely and securely handling passwords: System.Security.SecureString. “The value of a SecureString object is automatically encrypted, can be modified until your application marks it as read-only, and can be deleted from computer memory by either your application or the .NET Framework garbage collector”, according to the MSDN documentation. As with any security control, however, there are a few ways around it. Consider the following PowerShell and C# code samples.

 

# Some not-so-secure SecureString from a vendor whitepaper
password = Read-Host -AsSecureString -Prompt “Please provide password”

// Some not-so-secure SecureString code I wrote by mistake
private void button1_Click(object sender, RoutedEventArgs e)
{
  secretString = new SecureString();
foreach (char c in textBox1.Text.ToCharArray()) { secretString.AppendChar(c); }
  textBox1.Text = “”;
}

Try the samples above. Use something like Mandiant’s Memoryze or AcessData FTK Imager to get a copy of your current Windows memory. Search the memory for your password and, sure enough, you will find it in clear text. Sometimes, as with the C# code, you will find your password several times over.

What happened? In both cases, the value was passed to the SecureString in clear text. The SecureString is encrypted, however, the original input is not. That input value may stay in memory for a long time (depending what the underlying Windows OS is doing.)

Below are some examples of populating a SecureString in such a way that the password is not exposed in clear text. A the saying goes, trust but verify. In this case, trust the method but check using Memoryze or Imager to be certain.

 

# A secure SecureString implementation
$password = New-Object System.Security.SecureString
do {
  $key = $host.UI.RawUI.ReadKey(“NoEcho,IncludeKeyDown”)
  if ($key.Character -eq 13) { break }
  $password.AppendChar($key.Character)
} while (1 -eq 1)

// A more SecureString code example
private void button1_Click(object sender, RoutedEventArgs e)
{
  secretString = passwordBox.SecurePassword;
  passwordBox1.Clear();
}

Boulder rolling in Dark Reading

Posted by Wolf Goerlich

My BSides Cleveland talk got some attention, and was part of a Dark Reading article on risk management. Check out 4 Reasons Why IT Security Needs Risk Management, also available as a PDF on my Press page.

“Traditional IT security has what I think of as a Sisyphus complex,” says J. Wolfgang Goerlich, information systems and security manager for a Midwest financial services firm. “Every day, we roll the boulders up hill. We leave with as many systems, or boulders, secure as possible at the top of the hill. Overnight, new attacks are formed and new vulnerabilities are released. The next morning, some systems are insecure again, and we start again rolling boulders back up hill.”

According to Goerlich and many of his peers, if security organizations are to evolve past that daily toil and affect meaningful change on their respective businesses, they need to embed risk management principles in their decision-making framework. “Moreover, rolling the boulder isn’t the goal of security, but rather the goal is securing the ability of the organization to accomplish its mission,” he says. “Risk management is an important technique that focuses security efforts on the organization’s mission and prioritizes efforts on critical systems.”

But what is important to the organization? What value does any given piece of technology deliver to the organization’s mission? To answer these questions, we have to step back first.

The first step in building an effective security program is aligning with executive management and tying security tasks back to business objectives. Once that is done, we can move on to building a ITGRC function (IT governance, risk, and compliance). But executive sponsorship is key, otherwise, it will be extremely difficult to get feedback and support from the business units. The importance of this support cannot be overstated. Pierluigi Stella, CTO, Network Box USA, says: “Proper risk management is done when IT is only the project manager but every single business unit contributes its own knowledge to the process; and this needs to start from the top, from the C levels.”

It is all part of building a mature information security program. For my full thoughts on building such a program, you can watch my BSides Cleveland Naked Boulder Rolling talk.

Let me tell you why you are right

Posted by Wolf Goerlich

I had the conversation a few times on Friday. You know the one. The one techies always have when they are with techies. The one where you are wrong and they are ready to tell you why.

Yep. I had a few conversations. What is better, Hyper-V or VMware? Azure or Amazon? DerbyCon or GrrCon? Following Rafal Los or not? *

I answered in my typical measured fashion. Take GrrCon, for example. I like promoting local talent. I like Chris and Jaime Payne. I am speaking there, as are a number of my friends. GrrCon was good to me last year and I am looking forward to returning this year. That is my bias.

“Wow,” the guy who asked remarked, “I’ve never heard someone explicitly tell me they were biased and then only say why they are making a decision. Usually people just tell me what they think I should do.”

That is telling, isn’t it?

My approach to the conversation is simple. I will tell you why I made my decision. If you would like, I can enumerate my reasons behind it. And when my reasons change, my decision will change. I see no reason to get my ego wrapped up in a decision.

So let me tell you why you are right. You are right because you weighed the evidence. You are right because you took into account your strengths and weaknesses, and the strengths and weaknesses of your team. You are right because you compared features and benefits. You are right because you made a choice based on the culture of your organization and industry. You are right because you made a decision that was right for you.

You are right. Now you made a decision that was different from mine. Why not tell me a bit more about what you decided?

Wolfgang

 

 

* Footnote: None of these were as vicious as the Linux versus Windows conversations of old. But it struck me as an odd progression. We used to argue over operating systems and chips. Today we argue over virtualization and cloud. That is progress, I suppose. But why are we arguing over places and people? It seems like a strange turn of events.

BSidesCleveland 2012

Posted by Wolf Goerlich

I went to BSides Cleveland last Friday. We put the word out to the #misec mailing list, and took a couple of carloads of Michigan IT/InfoSec pros down to Ohio. The conference was well run, the swag bags were well stocked, and everyone I spoke with enjoyed themselves. Below are some of the highlights.

Dave Kennedy (Rel1k) kicked off the conference. Dave has recently made the transition from Diebold’s CSO to CEO at TrustedSec. Dave demoed some advanced pentesting techniques using the Social-Engineer Toolkit (SET). Of note, did you see the news on the new scary attack that knows your OS? Yeah. That was Dave’s code being re-used. Whoops.

Next up was Bill Mathews (@billford) on cloud security. I have a reasonably sound understanding of cloud computing and cloud security. I went to Bill’s talk to get ideas on how to talk with non-infosec people about cloud concepts. Bill did not disappoint. He had a good talk, kept my interest, and provided a one page cheat sheet at the end. (These sheets are on their way to my team already.) You can see Bill’s slides and cheat sheet at Hurricane Labs.

I attended Jeff Kirsch’s talk next (@ghostnomad). As a haiku fan and long-time reader of Jeff’s blog, I really wanted to meet Jeff. He is also a hard guy to meet because I rarely see him at other conferences. Finally I had my chance! Moreover, I identified end-user training as a weakness in my security program and I am on the lookout for ways to improve. The “<? $People ?> Process Technology” talk was informative and helped steer me in the right direction.

Jeff joined us for lunch at the Winking Lizard Tavern. We got to talk secbiz, rail against auditors who don’t get it, rail against IT managers who don’t get it, and basically geek out on the business side of infosec. I rarely get to scratch the business itch and so this was a real treat.

After lunch, I gave an updated version of my Naked Boulder Rolling talk. How did this compare to the one I gave in June? Detroit was more fun and Cleveland was more satisfying. That is to say, I enjoyed the audience participation and humor while presenting in Detroit. The only problem was that it meant a good quarter of my talk was cut due to time. In Cleveland, I was able to present the material in full. I felt the overall message of the talk was conveyed more clearly. I fielded some good questions afterwards that have me thinking of making a new ITGRC deck.

With Matt Johnson’s incident talk fresh in my mind, I joined Mick Douglas’s talk on Automating Incident Response. Mick’s metaphor was building a sprinkler system to respond to the burning building that is the security breach. Add to that the research that shows how exponentially expensive a breach gets the longer it goes undetected, and Mick has a powerful argument. He wrapped up by demonstrating Python scripts that respond to incidents using network segmentation and throttling. Mick gave me a few ideas that I am going to try on my own network gear this coming week.

I sat in on a talk by James Siegel (@WolfFlight) next. James has been thinking about moving the security conversation beyond the echo chamber for some time. At BSides Detroit, he brought a hallway con discussion around the topic that led up to a podcast. It was decent for a first time presenter. James employed some humorous visuals featuring Looney Toons to provide a clear call to action: let’s educate non-technical folks.

I walked into the next session chanting “.net! .net! .net!” Some might argue that was because of all the free Bawls drinks. But, no, I was excited to see Bill Sempf‘s perspectives on application security. Bill walked us thru ASP.NET controls for the OWASP top ten, and touched upon using Back|Track for validation. The key insight from this talk was using Back|Track scripts to validate code as part of the build process. This dove-tails nicely with my philosophy of baking infosec into the work, and I am looking to explore the concept further in the next few months.

The conference wrapped up with a two hour after party, and then a three hour drive back home. I had a number of great conversations over those five hours, and spent yesterday collecting notes and pulling down content. BSides always leave me fired up to do more, learn more, and see more. BSides Cleveland once again proved why community conferences are so inspiring. All I can say is, when do we get to do it again?

Kudos Dave DeSimone and the Cleveland organizers, and thank you to sponsors: Diebold, Accuvant, FireEye, f5, Bit9, DerbyCon, Hurricane Labs, Neoisf, SecureState, Rapid7, and McAfee.

Update: The videos for all BSides Cleveland talks are now online: http://www.irongeek.com/i.php?page=videos/bsidescleveland2012/mainlist

Focusing the diffusion of innovation

Posted by Wolf Goerlich

Many books talk about the diffusion of innovation and the division of the population into a bell curve of innovators, early adopters, early majority, late majority, and laggards. A person in the innovators or early adopters category, some books suggest, will have the latest television, be the first to get the newest mobile telephones, and be up to date on the latest and greatest products.

I have a Panasonic tube television manufactured in the nineties. My phone is a BlackBerry Storm. I am sorry to say that my iPad is gen 1 and still has iOS 4. And yet, many people remark on how innovative my team is with technology. So what gives?

In a word: focus.

IT management needs to be sharply focused on their value proposition. Mine is delivering technology at the nexus of business value, team passion, and team skill. The value proposition effectively splits a team into eight states. On the low side, a particular area can be anywhere between low value, low passion, low skills and high value, high passion, and high skills.

Focus innovative thinking on only areas that drive high value. This takes discipline. I would like more than anything to tinker with a new phone, try out a new iOS, maybe write an app or two. However, we deal with finite resources and limited time. By conserving energy for areas that really drive value, we can be more innovative in ways that are more effective.

Below are the value proposition and the corresponding diffusion of innovation.

  1.  Low value, low passion, low skills. Laggard: put in the least amount of resources.
  2. Low value, low passion, high skills. Late majority: how can we meet this need by practicing our skills?
  3. Low value, high passion, low skills. Late majority: how can we scratch the itch and satisfy the need?
  4. Low value, high passion, high skills. Early majority: we have the interest and know-how. Use it.
  5. High value, low passion, low skills. Early majority: partner but move quickly.
  6. High value, low passion, high skills. Early adopter: create excitement thru being innovative.
  7. High value, high passion, low skills. Early majority: be a fast follower to build skills.
  8. High value, high passion, high skills. Innovators: give the process your full attention.

Steven Fox’s Social Illusion

Posted by Wolf Goerlich

Steven Fox (@SecureLexicon) has been giving a series of talks on creating social illusions. Last Friday, I joined Steven at EMU where he was presenting as part of EMU’s IA summer workshop series. The topic was spearphishing. Steven demonstrated using Maltego to create an email, while Evan Malamis showed how the Social Engineer Toolkit could weaponize and distribute the email.

Let’s suppose Steven was deliberately targeting someone who attended BSidesDetroit. What should the email look like, and who should it be from?

The first thing Steven did was create a social network nodal graph from BSidesDetroit. By navigating the graph, it became obvious there was a tight network bond between Matt Johnson, Derek Thomas, and myself. There was an “ah ha!” moment as Steven explained how a message to a target could be sent from any one of us three.

Now what topic should the email use? Steven pivoted Maltego and pointed out an interesting relationship between BSidesDetroit  and BSidesChicago. So he graphed BSidesChicago, and looked for intersections. From there, he probed to see how those intersections touched upon Matt, Derek, and me.

Out popped a tweet from Mr. Minion on the Chicago ISACA/ISSA boat cruise. Steven pulled the tweet and resulting social interactions into another graph. There, it became obvious that #misec was involved. Steven was able to pull out several key pieces of information, including URLs and the like.

The final step of the process was to write the email. Essentially, Steven combined Maltego results with some Google fu to determine how #misec would pitch an event. The look, the feel, and the tone of the message were carefully crafted. Steven even perfectly emulated my writing style. (Take a look for yourself here.)

How successful was this forgery? Consider the following three pieces of evidence.

First, one person immediately commented: “Does that count? We all know the #misec guys are doing this boat thing.” Except we are not. The interesting thing is that #misec is not actively planning a river cruise. Yet the email was so well done that the audience immediately assumed we were.

Once that was explained, another person went: “It is funny you mention the cruise. I would have clicked on it because I remember Elizabeth Martin talking about Detroit doing a boat cruise.” This turned out to be a case of person’s memory adjusting to fit the facts they saw in front of them. Checking with Elizabeth, she did not talk about the cruise during BSidesDetroit at all.

Actually, the Twitter buzz preceeded me checking with Elizabeth Martin. All the buzz led Elizabeth to the logical conclusion that there was a cruise, and she spent an hour researching boats for our event. She later tweeted out: “The best part is I thought I was supposed to plan a cruise so I started working on it!”

Think about that for a moment. Steven Fox effectively invented an event. He crafted a message so accurate that it caused people to remember it, had people believing it was actually happening, and effectively created its own reality. Talk about creating social illusions!

InfoWorld 2012 Technology Leadership Awards

Posted by Wolf Goerlich

InfoWorld recognized my team’s efforts this month with a Technology Leadership Award. This was largely based on the strides we have made since consolidating the application development team with my network operations team. You can view the piece here and on my press page.

I was not contacted for the piece and was rather surprised to see it come across in my news feeds. It is important to add a bit of context to the story, I think.

First, as with any overnight success, the story was years in the making. I met my firm’s Director back in 1998 when I was a project manager at a VAR. It was clear then that they were years ahead of the competition. That advantage never waivered. Under the Director’s guidance, the technology remained on the leading edge year after year. I joined the firm in 2005 and inherited a well-tuned infrastructure with excellent business and vendor relations. This award truly is the continuation of more than a decade of technological leadership.

Second, information systems is a team sport. I am fortunate to have a fantastic team with deep technical skills and broad business skills. The article talks about my role in leading the DevOps (“one team, one system”) and private cloud (“not a cloud in the sky”) initiatives. Both initiatives were developed with a great deal of input from the team. Both were executed successfully in large part due to the team’s prowess. Frankly, leadership is not that hard when you are surrounded by awesome people.

I appreciate InfoWorld recognizing our efforts over the past two years. The Technology Leadership award is reflective of the people I work with. The award reflects their skills, passions, and commitment to the team’s success. Here’s to teamwork!

BSides Detroit 12 by MiSec

Posted by Wolf Goerlich

What a difference a year and a community make. I attended the first BSides Detroit last year and it was in stark contrast to Source Boston. I thought perhaps that was the nature of the local conferences. Then GrrCON opened my eyes to what was possible. I began to think of how we could raise the quality of BSides Detroit 12 to match events like Source and GrrCON. And I was invited to volunteer and ready to help organize the next event. Game on.

BSides Detroit 12 was every bit the event we set out to make it. 2 days, 2 tracks, 4 workshops, 32 speakers, all set to educate and engage some three hundred participants. The event was held in the GM Renaissance Center. We had climate controls, working audio/video, an evening reception, and we were every bit a full destination conference.

Being an organizer puts me in a tough spot. I typically write up a conference by calling out a few talks that I felt captured the gestalt of an event. How do I do that after spending six months podcasting with all the speakers? How do I feature some and leave others off, knowing each of the presenters as I do?

I tried a tack of thanking people who made this event. We had four organizers including myself, dozens of volunteers, sponsors, and many others who made this possible. My first few drafts resembled an Oscars Awards speech gone awry. While the tack does not work, the effort produced the real insight.

The #misec community is the main difference between last year and BSides Detroit 12. The podcast leading up to the event was organized by #misec regulars Chris J and Justin. Many of the talks were tested and tuned at #misec meet-ups. The three keynote speakers were all invites from #misec regulars, too, come to think of it. #misec led to some fantastic collaboration with GrrCON and BSides Chicago. And while some jokingly called this #misecon, we were out volunteering in force. This was our moment.

What difference does a community make? It makes for an event that is qualitatively and quantitatively better by any measure. It makes me awed and grateful for everyone’s efforts. It also makes me very hopeful for the future.

Wolfgang
BSides Detroit 12 Event Coverage

Detroit Hackers Fly Under Radar. “After spending a little time at BSides, I’m thinking that, not only could Arne Duncan use Payne’s counsel, but there are probably a number of non-IT fields that could benefit from a hacker’s ethos and insight.”

Bsides Detroit – the day after (part 1) and the day after (part 2) by Keith Dixon (Tazdrumm3r). “Over all, Bsides was incredible and the organizers should be proud of what they accomplished. I know, I’m definitely going next year and can’t wait!”

BSides Detroit 2012 Wrap Up by Matt Johnson (mwjcomputing). “I had the honor to organize the #misec dinner the Thursday night before BSides Detroit. … I decided to volunteer this year. Being friends with a few of the organizers, I only felt like it was appropriate. After this weekend, I think I am insane.” Note Matt also has a great group photo of #misec guys threatening to hug me.

Be Inspired By Local Cons by Elizabeth Martin. “Each and every opportunity I have to interact with the many walks of life in the InfoSec community I am inspired to do more, collaborate more, listen more, contribute more, help more, etc.”

BSidesDetroit – ConBlu, first try at presenting, by Scott Thomas (Secureholio). “I loved the venue, it was well laid out, there was quite a bit to do in the conference center itself, as well as having the hotel right there. The different tracks in different rooms made it easy to have hallway-con, as well as two tracks, a teaching area, and a lock-pick village. I really loved the set-up and the Detroit team did a great job with putting it together.”

BSides Detroit 12 Sponsors

InfoSec Career Panel Thoughts

Posted by Wolf Goerlich

The BSides Chicago career panel generated a fair amount of buzz. The Rats and Rogues podcast brought members of the panel back for a reunion tour. The call featured Nick Donarski (@kizz_my_anthia), Todd Haverkos, Elizabeth Martin (@elizmmartin), and was moderated by Michael (@SecurityMoey). They invited me to join and share a hiring manager’s perspective. You can listen to the career panel here, and I’ve listed some thoughts below.

First, starting your own business remains a strong way to launch a career path. I mentioned the startup I did in my late teens and early twenties, where we served non-profits for free to build technical know-how and social contacts. Nick Donarski shared a similar experience. He started his own information security business at 17. Nick invested in training and used certifications “to leverage to get business. At the client side, the client also used [certifications] as a metric.”

The panel did revisit the certification question. Chris J came out strongly in favor of “use it or lose it”, mentioning that many paper CCNA certified techs could not even describe a subnet in a standard hiring review process. There was sense that some certification bodies may not be policing their ranks as well as they should. I mentioned “vote Wim Remes” as a rallying call, because I believe that people who feel the certification process should get involved. Remes joined the ISC2 board to raise the value of the CISSP. Todd Haverkos, too, sets a good example by participating on the LPT board.

“Education, Education, Education,” that was Elizabeth Martin’s take-away. Elizabeth drew an fascinating comparison between compliance and certification. In both, it is easier to meet the letter of the rules than it is to meet the spirit. Certification not about getting a couple letters after your name. It is about lifetime education that coincides with and is in support of your career path.

But what happens if your career path does not align with your organization’s needs? It comes down to negotiating with your management. Michael: “We are talking about having difficult conversations with you and your manager. The approach I have taken as of late is to be completely honest and transparent. And I don’t think anyone could ever fault you for that.” With a nod to BSides Chicago’s slogan this year, have these conversations early, have these conversations often.

Elizabeth Martin added: “It is the employer’s responsibility to provide you with the opportunities, the tools, and the training. It is up to you to set the path.” She recommended setting 10 year plans with milestones at 1, 3, 5, and 7 year marks. You can always change plans, but only if you have a plan.

We wrapped up the conversation talking about ways to build the next generation of information security professionals. Mentorship works and we are discussed ways to foster that within the local community. It takes a full commitment from all parties. As Todd put it, “In addition to us doing a better job mentoring and creating people, don’t sit idly by. You get what you go for.”

Such mentorship programs, too, should address the entire lifecycle of employment; from hiring to career changes. Then, Elizabeth and Michael took the wraps off a new project: the Mock InfoSec Job Board. Here, hiring managers can host interviews and help candidates hone their skills.

It was a good 90-minute chat and my brief summary does not do it justice. You can listen to the panel here at Rats and Rogues.

Key take-aways:

  • Certification is only one metric of many; consider the candidate’s experience and aptitude to get a broader perspective.
  • Volunteer with certification organizations if you are unhappy with the certification process.
  • Maintain alignment with your reports and with your managers by having regular conversations about career paths and goals.
  • Find ways to build up the next generation of information technology and information security professionals by volunteering in your local area.
  • People looking to practice their interview skills should check out the Mock InfoSec Job Board, and hiring managers looking to build the next generation should consider volunteering.

 

IT Table Stakes

Posted by Wolf Goerlich

In the run up to BSides Detroit, one of the speakers pitched his talk as learning the table stakes of Linux security. This was new term for one of our younger organizers, and the organizer’s question had me thinking of blogging on it.

Table stakes in poker is the minimum amount needed to be in the game. In business, table stakes is often used as a metaphor for the minimum amount needed to enter a market. Jeff Reich (@jnreich) referred to table stakes as the minimum security required in a system on the Down the Security Rabbithole podcast. Since then, more folks have been referring to infosec table stakes.

Now it is helpful to understand technology table stakes. What is the bare minimum that a business expects from the information systems department? Maybe things like back office applications, email, Internet connectivity, and so forth. What expectations are value-add? Line-of-business apps, hopefully, along with services that differentiate one business from another in a given market.

For most any company, there will be many more systems than there are people to secure and operate them. That is the nature of technology today. The trick is to know what systems are table stakes and what systems are differentiators. Once we know that, we can automate, outsource, and minimize the time spent on table stakes. We can then align the team with the differentiators and spend the majority of the time driving business value.