Archive for February, 2017

MITM-as-a-Service: The Threat Surface We Didn’t Know We Had

February 26th, 2017 Comments off

This past week, as most security professionals know by now, a severe bug was discovered in the Cloudflare content delivery network’s service by noted researcher Tavis Ormandy. Organizations should pay attention when Tavis reaches out, just like they should when Brian Krebs reaches out – there’s a damn good reason, and it’s probably important. I’d like to publicly commend the team at Cloudflare for handling this as well as anyone could in that situation. They took him seriously, responded quickly, and worked their butts off to get the problem handled. From everything I’ve seen, a model vendor response to a serious issue. If you’re just learning about this, here are some links to get the background:

Project Zero page describing the bug

Cloudflare blog post

Troy Hunt’s EXCELLENT writeup on this

Rather than just be another blog talking about this issue (I think it’s been covered well enough elsewhere), I’d rather focus on the bigger picture for a minute. As someone who works with many organizations on their virtualization and cloud architecture, strategy, and more, I believe this incident is one we should really take to heart for a few reasons.

The nature of security architecture has been changing for a few years now. CDN services like Akamai and Cloudflare are almost mandatory for many organizations who need security and availability controls applied to their internet traffic. The Cloud Access Security Broker (CASB) market is also growing rapidly, and processes organizations’ cloud data.

The entire nature of trust is changing with these trends. We’re relying on SSAE 16 SOC 2 reports and other *extremely* superfluous documentation offered by the service providers to guarantee that security best practices are being followed. What we really don’t know, however, is the TRUE nature of the software and architecture in place within these environments, because the providers never offer this. Ever.

We’re exposed using these services, of course. I’m as bullish on cloud as anyone. But we are not really modeling our threat surface around these services, and occasionally things will go dramatically wrong. I believe this is an opportunity for those in the bug bounty industry to shine – where we have the least visibility, and the most trust assumed. Not to knock Cloudflare, but Tavis called out their bug bounty – a T-shirt. That’s not a bug bounty, that’s just a token to say you have a bounty program. If you want the best hackers to REALLY find your issues for you, ethically and professionally, you need to step up. More than that, WE (the community using cloud providers and the brokering services that transit our data to and fro) need the best hackers in the world looking at these technologies with a much more scrutinizing eye than a CPA firm with a checklist.

I think this will hit a tipping point sooner rather than later, sadly. Cloudflare handled the problem admirably, and we really don’t know how exposed people’s data was (although everyone and their mothers are speculating wildly, of course, this being the infosec community). That may not be the case forever – sooner or later, someone is going to turn one of these CASBs or CDNs into the world’s biggest Man-in-the-Middle tool, and things are really going to get ugly.

The More Infosec Changes, the More it Stays the Same

February 14th, 2017 Comments off

I took a full year off from blogging. It felt wonderful. Time to get back to being my ranty self, though, so I’m kicking off 2017 in style, at RSA in San Francisco.

This will be a short post.

It’s amazing to me, that in all this time in the industry, we have the exact same scenarios (in albeit different ways) that we did 10 years ago.

Passwords everywhere, just killing us.

Massively insecure software development from vendors – now it’s the IoT, of course, but just terrible practices.

Vendors making insane claims that are just laughable.

Companies not fixing the most basic of security issues. Consistently.

There’s so much to talk about, and yet nothing to talk about…we’re really saying the same things we’ve been saying for many years. The bigger question is WHY things are the same. It’s easy to be cynical, and laugh it off with peers in the industry. But this is turning into a real mess, and quickly. Something’s got to give.

I’ll be writing weekly from here on out. Turns out, I’ve missed it.

If you’re at RSA this week, say hi!

Categories: Information Security, Musings Tags: