SecuraBit Episode 57: Doctor Cole, I Presume?

Hosts:
Anthony Gartner @anthonygartner http://anthonygartner.com
Christopher Mills @thechrisam
Chris Gerling @chrisgerling
Andrew Borel @andrew_secbitGuests:
Dr. Eric Cole, Ph.D. – @drericcoleGeneral topics:
Mr. Cole is teaching the upcoming SANS vLive! 501 course which starts on June 22.

We discussed VOIP security, or the lack thereof.
Signature based security solutions are going the way of the dinosaur, it’s all about behavior and dynamic detection, such as heuristics now.
How to protect your privacy online:
http://twitter.com/ChrisPirillo/status/13881888168Links:
http://www.sans.org/security-training/instructors_upcoming.php?id=34
http://www.securityhaven.com/Sunbelt Software Webinar: Thursday, May 27, 2010, 2PM – 3PM EDT
Quarterly Briefing: Turn the tables on Bad Guys: Malware Unmasked

The cyber threat landscape is constantly changing, and even with the most sophisticated security you’re never completely protected from attacks. As part of our mission to ‘keep the bad guys out’, SunbeltLabs presents in this webinar how we use our own sandbox technology to keep a step ahead.

Sunbelt Software’s Lead Security Analyst, Brian Jack and Malware Response Manager, Dodi Glenn will discuss the current threat landscape and dig deeper into some of the most dangerous and complicated threats out there.  During this briefing we will focus on two different types of threats: malicious PDFs and rogue antivirus applications. Learn how to gain an edge when protecting your enterprise.

Whether you are dealing with spear phishing or mass attacks, join us to see how to deploy the right tools and learn how to quickly analyze and unmask malware. New threats require new technologies and techniques to protect yourself and your organization.  Sign up now and turn the tables on the bad guys.

Chat with us on IRC at irc.freenode.net #securabit

Interview with Joanna Rutkowska!

Several of our recent episodes have focused on crimeware and banking trojans.

In SecuraBit Episode 54 – Lions and Tigers and Banking Trojans, OH MY! we had Panda Security’s Sean-Paul Correll discussing Panda’s annual security report that disclosed the fact that 66% of all malware being released attempts to commit financial crime. In SecuraBit Episode 52: To catch a Mule with Krebs on Security! investigative reporter Brian Krebs (@briankrebs) discussed the Zeus banking trojan and the use of money mules to steal money. According to Shawn Henry, Assistant Director in the FBI’s Cyber Division, “More money is stolen electronically or in data breaches than through bank robberies.”

On April 7th, security researcher Joanna Rutkowska announced the development of a new high-security operating system, Qubes, that is a promising approach to addressing this problem. Joanna is well known in the security community through her presentations at security conferences around the world. Joanna was recently listed by NetworkWorld as one of the 12 “White Hat” hackers you should know. Joanna was kind enough to agree to an interview discussing Qubes.

BH: How did you get your start in security?
JR: It’s been so long ago, that I don’t remember anymore 😉
BH: After working so long with rootkits and VM compromises, why did you decide to design an OS?
JR: Well, indeed, we have done lots of offensive research over the past years, in the areas ranging from kernel rootkits, through virtualization security, and on the chipset and CPU security ending. During this time we have gathered lots of experience regarding how system software should and should *not* be built. And finally we became ready to build a system with a satisfactory level of security, I think. Also, the last year was somehow a break-through in terms of availability of some advanced hardware technologies for ordinary customers. One cannot really design and build a secure system  without a IOMMU and some trusted boot technology. Intel VT-d and Intel TXT technologies implement those two important technologies, and they have just entered shops in 2009.
BH: How long have you been working on Qubes?
JR: Over 6 months now. The first 2-3 months were mostly spend on designing the architecture, the rest on coding.
BH: How did you come up with the name Qubes?
JR: Oh, I though it was pretty obvious. “Qubes” is just a fancy way of writing “Cubes”, and each “cube” is supped to symbolize a Virtual Machine (VM). When we think about a Virtual Machine in security, we think about some kind of a cage, or a cube, something that is capable of containing and jailing whatever is inside (e.g. a malicious program).
BH: Can you briefly describe the goals of Qubes?
JR: To provide strong security for desktop computing by implementing “Security by Isolation” principle in an effective and easy-to-use way. My goal with Qubes is to make it useable not only by Linux geeks, but also by people like lawyers, doctors, businesspeople, and anybody who is concerned about potential compromise of their data.
BH: You mentioned using “security by isolation” as being superior to “security by obsecurity” or “security by correctness”    Can these approaches be combined?
JR: Actually, we always need “Security by Correctness” — there are always some elements in any system that must be flawless in order to manage and secure the rest of the system. But an attempt to apply the “Security by Correctness” approach to the whole system, including Web browsers, PDF readers, etc, is simply not reasonable. We won’t be able to find and patch all the bugs in all our applications anytime in foreseeable future. It is simply naive thinking. So, instead, we designed Qubes to minimize the number of elements in the system that we need to trust, i.e. those where we need “Security by Correctness”. The potential attack surface in Qubes is orders of magnitude smaller than in a typical mainstream OS like Windows, Linux or Mac OS X.
BH: What functionality has been the most difficutlt to design?
JR: That would be the GUI virtualization. In Qubes we wanted to provide seamless integration of all the user’s applications on one desktop, just like if all the applications were executing natively. But, of course, they all run in different VMs. The obvious solution would be to let all the applications to connect to one common X server so it could present them all on one desktop. But that would be a very bad security decision, because the X protocol is very complex, and I bet there are dozens of ways to exploit it. So, we had to create a special GUI daemon and a protocol to extract the application’s, so called, composition buffers from each VM’s private X server, and bring them all and display on the common desktop in Dom0. The protocol we implemented for this is extremely simple — just a few messages, compared to hundreds or thousands of complex messages in case of a regular X protocol. At the same time our GUI implementation turned out to be very efficient, so that it’s perfectly possible to e.g. watch fullscreen movies running in AppVMs. The GUI daemon is one of those few elements of the system that we must absolutely trust and that we hope are flawless (the GUI daemon itself counts some 2,000 Lines of Code). If an attacker found an exploitable bug in our GUI daemon, then they would be able to compromise the whole system.
BH: Several leading regulatory agencies have suggested using Live CD’s for conducting high-risk  financial transactions. Do you think Qubes could be used in this way, or is it an alternative approach?
JR: And how often are they advised to reboot the system? Every day? Every 1 hour? Or perhaps every 5 minutes? 😉 Still, they cannot prevent more advanced attacks, e.g. persistent BIOS infections [our team has recently showed it was possible to infect one of the most secure BIOS: the Intel vPro BIOS — see this link http://invisiblethingslab.com/press/itl-press-2009-03.pdf The whole idea behind Qubes is that you would not need to use such childish and annoying tricks.
BH: Is there a limit to how many ApplicationVM’s can be created?
JR: Yes, it is dictated by the amount of RAM your machine has. With 4GB RAM you should be able to run 7-10 VMs, depending on how much memory you assign to each VM (e.g. AppVMs for less demanding tasks might be assigned only 100 or 200 MB, while those used for Web browsing, running office apps, etc, would need some 400 MB; you also need to leave some 700 MB for your Dom0). We’re definitely planning to look into optimizing per-VM memory memory footprint in future versions, although if you have 4GB of RAM that’s pretty much enough for most usage cases even with current implementation. Please note that Qubes already optimizes disk usage for AppVMs — thanks to smart filesystem sharing, each AppVM takes only as much disk space, as needed for string its private data (e.g. user files). One side effect of this efficient filesystem sharing is the ability to automatically update software (e.g. Web browsers) in all the AppVMs all at once, which is extremely useful in practice.
BH: Do you plan to use content based page sharing to reduce memory footprint?
JR: This is currently a subject for further research.
BH: Do you plan to have application white listing within the ApplicationVMs?
JR: That’s certainly possible.
BH: In your architecture document you mention Firewalling ports in/out per VM. Do you think the complexity of doing this will restrict the acceptance of the OS?
JR: First, this is just an optional feature for the more demanding users. Also, we plan to provide pre-configured setups in the future, and perhaps also some management tools that would make more advanced setups much easier for non-technical users.
BH: You mention that the network stack is untrusted since you are using end-to-end encryption from within the ApplicationVM. Would protocol attacks such as certificate attacks or DNS poisoning be problematic?
JR: When we consider attacks on network protocols, then there is no difference if the attacker runs the exploits over WiFi, sitting in the adjacent hotel room or in the same lounge at the airport vs. if the attacker has compromised the NetVM. The opportunities are equal. If SSL or SSH is broken, you do have troubles, no matter if the NetVM is compromised or not.
BH: When do you expect Qubes to leave Alpha?
JR: Most likely at the end of summer holidays.
BH: What types of commercial extensions do you envision?
JR: One example would be support for running Windows-based AppVMs. Another example would be, as previously mentioned, various tools that would help to configure and setup Qubes deployments, especially in corporate environments.
BH: What can the community do to help?
JR: We have wiki with many information about the project, including how people can contribute: http://www.qubes-os.org/trac/wiki
BH: Thank you for taking the time for this interview. We look forward to watching the progress of this new operating system.

SecuraBit Episode 56: “Try Harder” – used with permission

SecuraBit Episode 56: “Try Harder” – Used with permission

Hosts:
Anthony Gartner @anthonygartner http://anthonygartner.com
Christopher Mills @thechrisam
Chris Gerling @chrisgerling
Jason Mueller @securabit_jay
Andrew Borel @andrew_secbit

Guests:
Chris Hadnagy – @humanhacker
Operations Manager and involved with
www.offensive-security.com
www.backtrack-linux.org
http://www.social-engineer.org/

General topics:
MSFU course Saturday the 8th from 10am to 5pm in Louisville, KY‎

Chris Speaks of a new kernel update released around the day of recording for Backtrack 4

Since you are able to listen to this podcast the DNS Security Update did not affect you

SANS Investigative Forensic Toolkit (SIFT) was updated

Links:
http://www.exploit-db.com/
http://www.offensive-security.com/images/ryu-help-me.png
Kid Friendly Podcast
http://www.social-engineer.org/framework/Social_Engineering_Framework

Free MSFU Course
http://www.offensive-security.com/metasploit-unleashed/
SANS SIFT
https://computer-forensics2.sans.org/community/siftkit/

Sponsor mention: Sunbelt Software Webinar: Thursday, May 27, 2010, 2PM – 3PM EDT
Quarterly Briefing: Turn the tables on Bad Guys: Malware Unmasked
Register Here!

The cyber threat landscape is constantly changing, and even with the most sophisticated security you’re never completely protected from attacks. As part of our mission to ‘keep the bad guys out’, SunbeltLabs presents in this webinar how we use our own sandbox technology to keep a step ahead.

Sunbelt Software’s Lead Security Analyst, Brian Jack and Malware Response Manager, Dodi Glenn will discuss the current threat landscape and dig deeper into some of the most dangerous and complicated threats out there.  During this briefing we will focus on two different types of threats: malicious PDFs and rogue antivirus applications. Learn how to gain an edge when protecting your enterprise.

Whether you are dealing with spear phishing or mass attacks, join us to see how to deploy the right tools and learn how to quickly analyze and unmask malware. New threats require new technologies and techniques to protect yourself and your organization. Sign up now and turn the tables on the bad guys.

Chat with us on IRC at irc.freenode.net #securabit

SecuraBit Episode recording live tonight!

Hey folks,

Join us tonight as we interview Chris Hadnagy who is the Operations Manager for Offensive Security!  We plan to discuss their online training courses, the BackTrack linux distribution, and more!  If you have any questions for him please hit us up on twitter, comment here, email us, or join us in our IRC channel on freenode #securabit

See you tonight around 8pm EST!