New report: “Web Application Firewall: 2010 And Beyond”

I was offline for a bit to deal with some family issues. Good to be back.

Today’s quick post is on a hot-off-the-press report I just published: “Web Application Firewall: 2010 And Beyond”. http://bit.ly/9utFJG.

The premise is that pure WAFs are morphing into WAF+, which finds its place in firms’ network infrastructure.

A quick abstract: “Having been thrust into the spotlight by payment card industry (PCI) data security standard (DSS) requirements three years ago, Web application firewall (WAF) — a technology that detects and blocks attacks against Web applications — has significantly matured. It’s taken on a decidedly interesting identity, and standalone WAFs are almost nonexistent. In its place are solutions that include additional network functionality like content acceleration, application visibility, authentication, and database monitoring. We dub this new family of products “WAF+”. Forrester estimates the 2009 market revenue of the WAF+ market to be nearly $200 million, and the market will grow by a solid 20% in 2010. Security and risk managers can expect two WAF trends in 2010: 1) midmarket-friendly WAFs will become available, and 2) larger enterprises will gravitate toward the increasingly prevalent WAF+ solutions.”

More details on the Microsoft vulnerability that led to the Google hack

Microsoft today released an Out-Of-Band (OOB) security update, MS10-002 (http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx), that addresses, among others, the IE vulnerability that was responsible for last week’s Google hack.

This OOB security update addresses 8 vulnerabilities in total, and is considered a critical security update for Internet Explorer. Microsoft recommends that IE users take immediate actions as a result of this security update. More specifically, if you are running IE v6, immediately install the security update. Better yet, immediately upgrade to IE v8, the latest version.

Additional background on the vulnerability and the attack: This vulnerability was disclosed to Microsoft via the proper channels in December 2009. At that time, there was no known exploits in the wild against this vulnerability. Microsoft told me that they followed the normal procedure and had scheduled the said patch to be released in their regular February 2010 security update. When the attack against Google and others surfaced last week, Microsoft accelerated the patch process and decided to issue this OOB update ahead of their February scheduled release.

All versions of Windows are affected by this particular vulnerability. However, IE v6 is particularly vulnerable. IE v6 is believed to be involved in the Google attack – some Google employees were running IE v6, which led to the attack. IE v7 and v8, though also vulnerable, have other protection mechanisms, such as Data Execution Prevention and Address Space Layout Randomization, which would have made the attack less likely to succeed.

For the techies out there, this is a vulnerability that can lead to remote code execution. Here is how the attack worked:

-        This vulnerability is an IE memory corruption issue that can be triggered by a malicious JavaScript to copy, release, and then later reference a specific Document Object Model (DOM) element. If an attacker is able to prepare memory with attack code, the reference to a random location of freed memory could result in execution of the attacker’s code.

-        In this attack, a Google user is enticed, via email social engineering, to a malicious website that has exploit code targeting this browser vulnerability.

-        The website exploits the vulnerability and injects prepared attack code and executes it on the user’s desktop.

-        This code can then do anything the user is capable of doing including logging onto corporate servers.

-        The rest is history as we know it.

For a more specific analysis of the vulnerability, refer to Jonathan Ness’s SRD blog at Microsoft: http://blogs.technet.com/srd/.

Google tells me that the employee whose desktop was compromised was running IE v6 (as opposed to Chrome, haha) for testing purposes. Really?! Does the test involve the user use the outdated browser to surf the Internet?

That said, the more pertinent topic, of course, is how we could avoid such attacks in the future. A few tips to start with,

-        Always run up-to-date software and patches, browser and otherwise

-        Educate users about social engineering threats – this continues to be a thorn in IT’s thigh.

-        In addition, and this is very important: Use a web filtering product that is able to recognize web-based malware, such as the Javascript-based malware involved in the Google hack, and one that is integrated with email threat protection.

In the meantime, share your thoughts here or on Twitter. Follow me on Twitter@Chenxiwang

Ok. There is more (or may be less) to the VPN story, Google says

Google called me again after I posted the latest follow up to the Google hack story. Wow, two calls from Google AR in the span of an hour! They were uncomfortable about the way I characterized the involvement of the corporate VPN in the Google attack. The official on-the-record word from Google is that: “This is not accurate”.  So, I should rephrase how the attack happened:

a) A Google employee’s machine that was running IE v6 was compromised via the IE vulnerability.

b) The attacker used the compromised machine to somehow gain access to Google servers (some of which housed critical information). The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that “the compromised client used their corporate VPN to gain access to the servers”.

At Google’s request, I retract that particular statement.

This is what we do know factually:

1) The attack on Google server happened

2) Google immediately decided to do an emergency update of their entire corporate VPN infrastructure.

Could these two things be entirely unrelated? I doubt it. But Google isn’t going on the record to say that the attack came in via the VPN, and that’s their official position.

Follow up: Google calls and confirms the VPN story.

Google called me, five minutes ago, confirmed that the attacker indeed came in via the corporate VPN access. On top of that, they told me that the victim machine was a corporate managed machine, not a home computer.

As to why Google employees were running IE v6, Google’s position is that someone might be running IE v6 for testing purposes. Whether this was indeed what happened, they wouldn’t say. Ok, I can buy that you might be running an older version of browser for testing purposes (for backwards compatibility), but why wasn’t the testing environment isolated from production and from access to critical assets? Isn’t that one of the first thing you do in setting up a test environment? Google assured me that they are taking steps to rectify the situation, and for the sake of everyone who trusts Google with their data and applications, I hope they do it soon.

A funny related note: I’ve been trying to get Google’s attention for over a week on a security interview, but they were too busy to respond (understandably, I guess), but five minutes after I put up this blog entry. Google calls me on my mobile. .

Why Google and Microsoft were at fault for the attack, not cloud computing

By now, much has been written about last week’s attack on Google, Yahoo, and more than 30 other companies. Google’s stark reaction to the attack has put the company at the forefront of this news story. At stake is one of the world’s largest Internet market as well as the already tenuous relationship between US and China, it is no wonder this attack is drawing the attention of headlines worldwide.

Why isn’t this an attack on cloud computing?

First of all, the mechanics of the attack, though not entirely clear, have nothing to do with cloud computing. What we do know is the following: A Microsoft browser vulnerability was exploited, some employees’ desktops were compromised, and the attacker used the compromised desktops via Google’s VPN to get to some of the servers. As a result, Google apparently issued an emergency refresh of the entire corporate VPN infrastructure last week, leading to more than a little bump in the road for employee productivity, which lasted more than 24 hours.

So, let’s look at the facts here. Exploiting browser vulnerabilities is a familiar attack method, one that has nothing to do with cloud computing. Compromising desktops and using VPN to further compromise servers is again nothing new. What is at the root of the problem here is a vulnerability from everybody’s “favorite” software company (more about this vulnerability to come later today), not the fact that the target of the attack is a prolific cloud computing company.

However, some of my clients (and many others) were asking why they would want Google to host their applications/data if Google is a bigger attack target than themselves. This is indeed an interesting question, one that is worth exploring. This question is particularly interesting when you consider that the attack in question involved exploiting vulnerabilities in IE 6. Why would Google employees still be running IE 6, an outdated browser? Clearly Google’s corporate IT isn’t doing a good job. But the fact that the attacker used VPN to further its attack suggested that the initial victim machine may not be a corporate managed machine. However, we do not know for sure. In any case, Google is at fault here for not managing its risks adequately. And being one of the biggest cloud computing companies, they should know better.

I will be uploading another entry on the specifics of the Microsoft vulnerability after 10am pacific today. Stay tuned. In the meantime, let me know what you think of the attack and the implications.

This entry will be cross-posted to Forrester’s SRM blog: http://blogs.forrester.com/srm.

BSIMM Begin web survey

Friends over at Cigital are starting a web BSIMM survey. While I do not generally endorse vendor studies, I do think the original BSIMM study a well-done investigation of how software security is practiced in some of the leading enterprises. If you belong in an organization that has a software security program, you may want to participate in this study. URL is here:

http://www.bsi-mm.com/begin/