Gartner on Vulnerability Assessment

For years, Gartner has been recommending VA/VM as the effective way to prevent successful attacks, only they’ve been a bit too low key about it in my opinion. Of course as a VA vendor I’m not even going to pretend to be objective here, but I always wondered if the fact most leading vendors are relatively small made Gartner pay less attention to the field.

Whatever the reason was, Gartner just came out with Strategies for Dealing with the Increase in Advanced Targeted Threats.
Here are some nice quotes; I especially liked the one about 0-days. I’m in complete agreement with all of them:

Quotes from this article (emphasize is mine):

Enterprises need to focus on reducing vulnerabilities

” There are existing security technologies that can greatly reduce vulnerability to targeted attacks.”

” … the real issue [is] focusing on the vulnerabilities that the attackers are exploiting. “

The reality is that the most important issues are the vulnerabilities and the techniques used to exploit them, not the country that appears to be the source of the attack”

Own the vulnerability; don’t blame the threat: There are no unstoppable forces in cyber attacks” (this one should be printed on T-shirts).

“If IT leaders close the vulnerability, then they stop the curious teenager, the experimental hacker, the cybercriminal and the information warrior”

“Many attacks that include zero-day exploits often use well-known vulnerabilities as part of the overall attacks.”

HDCP Master Key Leaked

High-bandwidth Digital Content Protection (HDCP) is a form of copyright protection developed by Intel. It is designed to prevent the copying of digital audio and video as it travels accross media interfaces such as HDMI, DisplayPort or Unified Display Interface (UDI).

The system is meant to stop HDCP-encrypted content from being played on devices that do not support HDCP or which have been modified to copy HDCP content. Before sending data, a transmitting device checks that the receiver is authorized to receive it. If so, the transmitter encrypts the data to prevent eavesdropping as it flows to the receiver.

Manufacturers who want to make a device that supports HDCP must obtain a license from Intel subsidiary Digital Content Protection, pay an annual fee, and submit to various conditions.

On 14th September 2010 the HDCP Master Key was somehow leaked, and published online in various sources. At present it is unknown how this Master Key was obtained, or whether Intel is doing any investigations as to how this happened. Intel has however threatened to sue anyone.

The leaked master key is used to create all the lower level keys that are stored within devices, so you can see what a nightmare this must be for Intel.

Intel have threatened to sue anyone that makes use of this key under intellectual property laws. However it will now only be a matter of time before we start seeing black market devices appearing.

If anyone’s at all interested though, you can find the key here.

Reflections on Trusting Trust goes hardware

A recent Scientific American article does point out that is is getting increasingly difficult to keep our Trusted Computing Base sufficiently small.

For further information on this scenario, see: http://www.imdb.com/title/tt0436339/  [1]

We actually discussed this in the early days of virus research, and sporadically since.  The random aspect (see Dell problems with bad chips) (the stories about malware on the boards is overblown, since the malware was simply stored in unused memory, rather than being in the BIOS or other boot ROM) is definitely a problem, but a deliberate attack is problematic.  The issue lies with hundreds of thousands of hobbyists (as well as some of the hackers) who poke and prod at everything.  True, the chance of discovering the attack is random, but so is the chance of keeping the attack undetected.  It isn’t something that an attacker could rely upon.

Yes, these days there are thousands of components, being manufactured by hundreds of vendors.  However, note various factors that need to be considered.

First of all, somebody has to make it.  Most major chips, like CPUs, are a combined effort.  Nobody would be able to make and manufacture a major chip all by themselves.  And, in these days of tight margins and using every available scrap of chip “real estate,” someone would be bound to notice a section of the chip labeled “this space intentionally left blank.”  The more people who are involved, the more likely someone is going to spill the beans, at the very least about an anomaly on the chip, whether or not they knew what it did.  (Once the word is out that there is an anomaly, the lifespan of that secret is probably about three weeks.)

Secondly, there is the issue of the payload.  What can you make it do?  Remember, we are talking components, here.  This means that, in order to make it do anything, you are generally going to have to rely on whatever else is in the device or system in which your chip has been embedded.  You cannot assume that you will have access to communications, memory, disk space, or pretty much anything else, unless you are on the CPU.  Even if you are on the CPU, you are going to be limited.  Do you know what you are?  Are you a computer? Smartphone?  iPod?  (If the last, you are out of luck, unless you want to try and drive the user slowly insane by refusing to play anything except Barry Manilow.)  If you are a computer, do you know what operating system you are running?  Do you know the format of any disk connected to you?  The more you have to know how to deal with, the more programming has to be built into you, and remember that real estate limitation.  Even if all you are going to do is shut down, you have to have access to communications, and you have to a) be able to watch all the traffic, and b) watch all the traffic, without degrading performance while doing so.  (OK, true, it could just be a timer.  That doesn’t allow the attacker a lot of control.)

Next, you have to get people to use your chips.  That means that your chips have to be as cheap as, or cheaper than, the competition.  And remember, you have to use up chip real estate in order to have your payload on the chip.  That means that, for every 1% of chip space you use up for your programming, you lose 1% of manufacturing capacity.  So you have to have deep pockets to fund this.  Your chip also has to be at least as capable as the competition.  It also has to be as reliable as the competition.  You have to test that the payload you’ve put in place does not adversely affect performance, until you tell it to.  And you have to test it in a variety of situations and applications.  All the while making sure nobody finds out your little secret.

Next, you have to trigger your attack.  The trigger can’t be something that could just happen randomly.  And remember, traffic on the Internet, particularly with people streaming videos out there, can be pretty random.  Also remember that there are hundreds of thousands of kids out there with nothing better to do than try to use their computers, smartphones, music players, radio controlled cars, and blenders in exactly the way they aren’t supposed to.  And several thousand who, as soon as something odd happens, start trying to figure out why.

Bad hardware definitely is a threat.  But the largest part of that threat is simply the fact that cheap manufacturers are taking shortcuts and building unreliable components.  If I was an attacker, I would definitely be able to find easier ways to mess up the infrastructure than by trying to create attack chips.

[1] Get it some night when you can borrow it, for free, from your local library DVD collection.  On an evening when you don’t want to think too much.  Or at all.  WARNING: contains jokes that six year olds, and most guys, find funny.