I have been thinking a lot about virtual machine platforms like VMWare and Xen, and whether they presented an imminent or long term threat.  Virtual security is getting a lot of attention.  Though not as technical as I used to be, I did sit through 2 of the 3 presentations by Invisible Things Labs at Black Hat, and the possibility of subverting the hypervisor.  Today, I see these attacks as more theoretical to launch from the outside, but it really isn’t too hard to imagine someone putting the pieces together and creating malware that gets inside a VM server farm or fools a Xen sysadmin to implement in the first person.  When you go from practically no VM presentations at previous years’ Black Hats to a whole track this year, it seems more likely that we are only waiting for the hacker market to realize to decide that virtual servers are pervasive enough that money can be made from exploiting them.

Here is where I am having a little bit of mindset shift.  Because virtualization drives consolidation (side note: I attended an investor conference where a VMWare guru talked about the efficiencies of theoretically collapsing 1,000 servers into 10 with VMWare - I wonder how that helps parent company EMC sell more storage!), more valuable data will reside within fewer entities, such as Amazon EC2 (Elastic Compute Cloud), which has standardized on Xen.  So, I expect the bad guys to actually focus on attacking entities like EC2 as a matter of economics, which means they aren’t just profiling the attack surface of the underlying hypervisor, but the enabling technology and processes wrapped around virtual machine platform for provisioning, management, etc, which may or may not be as well vetted as core VM components.  So, while I do think there is a reasonable, if not perfect, focus on securing the hypervisor,  I see these  pseudo-application layer attacks targeted at the virtual infrastructure providers as both inevitable and profitable.  We need some level of reorientation of our focus on virtual security.

By Kurt Seifried (I am posting for him because he is too damn lazy)

So I’ve been dealing with CVE (http://cve.mitre.org/) for several years now, first as an “oh that’s neat” and later as an “if we comply with this standard, I will feel 37% less suicidal” (which is a good thing, finding competent tech writers is tricky). I used to email Steve Christey with additions and corrections, but then lost the will to live for a little while (here’s a hint: making a tech writer write essentially the same thing over and over 10 times a day for 6 years will literally suck the life from them).

I recently had an opportunity to talk to Christey, who like most of us, has a finite budget and a virtually infinite amount of work to do. Myself, I’d like to be able to apply CVE numbers to issues that do not yet have a CVE number. A match made in heaven or simply two people struggling to do their own thing? A match made in heaven, I talked to Christey about him outsourcing some of his work (i.e. giving blocks of CVE numbers to people, not for new issues, but for application to known issues), which has the benefit of giving him what he wants (more CVE submissions with minimal work) and giving me what I want (applying CVE numbers to issues I need to track).

Chances are I will get what I want, even if Christey reads this (which is pretty likely since I’m emailing him a copy). Why? Because I’m making sure he gets what he wants. Ultimately I can’t make anyone do what I want them to, I can certainly encourage them (for example by holding their family hostage), and I cannot force them to, as evidenced by the movie “Firewall” – no, seriously.

Open Source is a perfect example of outsourcing costs, everybody gets what they want (I get free software, the project gets updates and bug fixes). So why not apply this to other aspects of your life? No seriously, why not? Some people call this “win-win”, others call this “NLP”. Whatever you call it; if everyone involved gets what they want, then everyone goes home happy.

“Security isn’t a dirty word…. Crevice is a dirty word. Security isn’t.”

A free beer to the first person to identify the quote. Conditions and rules may apply. Offer not valid where cash, credit or debit is accepted.

As we should be able to predict by now, the Russian incursion into Georgia has extended into the Internet as well, defacing Georgian sites and disrupting Internet service.  Unfortunately, it is too cheap and easy not to launch attacks, and for all our investments in technical defenses, we seem only able to be able to perform post facto analysis.  Welcome to the future.

I am finishing up the excellent Pacific Crest Tech Forum in Vail and getting ready to head over to Black Hat in Vegas.  A couple of items I am going to be thinking about on the flight over:

Vasco disclosed that they are providing the new strong authentication token for Blizzard Entertainment’s World of Warcraft gamers and that it is selling well so far.  An interesting uptake of tokens on the consumer side.

Microsoft announced that they have achieved ISO 27001 certification.  Will others follow?

Dan Kaminsky and Cricket Liu are going to be covering the DNS cache poisoning issue currently raging. You can go here to register.