Dr. InfoSec™

QOTD - Stiennon on Controls

2010-02-08T05:23:00.000-08:00

No matter how smart you are you cannot impose controls on something you do not control. -- Richard Stiennon, founder of IT-Harvest, an independent analyst firm

Src: ThreatChaos Security Blog | ThreatChaos

QOTD - Schmidt on Security

2010-02-07T05:38:00.000-08:00

There are no absolutes. We will never have 100 percent security and still have an open society. -- Howard Schmidt, White House Cybersecurity Coordinator

Src: Howard Schmidt: “We will never have 100 percent security and still have an open society” | Executive Gov

QOTD on Cyber Threats

2010-02-06T05:07:00.000-08:00

Sensitive information is stolen daily from both government and private sector networks, undermining confidence in our information systems, and in the very information these systems were intended to convey. -- Dennis C. Blair, Director of US National Intelligence

Src: U.S. 'Severely Threatened' By Cyber Attacks -- InformationWeek

QOTD on Privacy vs Security

2010-02-05T05:16:00.000-08:00

I've said for a long time privacy and security are two sides of the same coin. Very clearly, without security, we have no privacy. Data protection is key to the things we're going to do. -- Howard Schmidt, White House Cybersecurity Coordinator

Src: Privacy not taking back seat to security, cyberchief says | Federal News Radio 1500 AM

QOTD on Free Speech

2010-02-04T05:02:00.000-08:00

At some point people who care about free speech will realise that free speech has to be funded, otherwise it's not free. -- Paul Lashmar, investigative journalist

Src: BBC News - WikiLeaks whistleblower site in temporary shutdown

QOTD on The Cloud

2010-02-03T05:18:00.000-08:00

I’m a big proponent of moving things to the cloud, but doing it right. -- Howard Schmidt, White House Cybersecurity Coordinator

Src: Howard Schmidt: “We will never have 100 percent security and still have an open society” | Executive Gov

QOTD on OS Security

2010-02-02T05:16:00.000-08:00

The most secure [operating] system is the one that you know how to secure. -- Carole Fennelly, director of content and documentation at Tenable Network Security

Src: In their words: Experts weigh in on Mac vs. PC security | InSecurity Complex - CNET News

QOTD on Social Engineering

2010-02-01T04:26:00.000-08:00

Graham Cluley, senior technology consultant at Sophos, sheds light on the debate about PC vs Mac security:

They're both mature operating systems from the security point of view, and as good as each other. But, crucially, it's not about the operating system that is being run on the computer, it's the fleshy human sitting in front of it...I would argue that an Apple Mac user wanting to watch the 'Erin Andrews Peephole Video' is just as likely to download a bogus browser plug-in to help them do that, as a Windows user. And it doesn't matter that Mac OS X will ask them to enter their username and password to install the plug-in--they want to watch the video, they will enter their username and password. Social engineering is the unifying threat that puts all computer users at risk, regardless of operating system. And that's what most threats exploit.

Src: In their words: Experts weigh in on Mac vs. PC security | InSecurity Complex - CNET News

QOTD on Cyber Threats

2010-01-30T05:44:00.000-08:00

Speaking generically, we're seeing a lot more targeted attacks where people focus on [employees with] the highest set of privileges, and then work backwards, gaining access to secondary parties to get to the primary source. George Kurt, McAfee chief technology officer

Src: Hackers ran detailed reconnaissance on Google employees - V3.co.uk - formerly vnunet.com

QOTD on APTs

2010-01-29T05:26:00.000-08:00

Every piece of APT [Advanced Persistent Threat] malware cataloged by MANDIANT initiated only outbound network connections. No sample listened for inbound connections. So, unless an enterprise network is specifically monitoring outbound network traffic for APT-related anomalies, it will not identify the APT malware outbound beaconing attempts. -- Wendi Rafferty writing for the Mandiant Blog

Another item worth noting: 83% of APTs used TCP port 80 or 443 (i.e. looking like normal web browser activity)

Src: M-unition » Blog Archive » M-Trends: Advanced Persistent Threat Malware

QOTD on Cyber Threats

2010-01-28T05:05:00.000-08:00

Current security models are minimally effective against cyber criminals and many organizations appear to be largely unaware of that fact. -- Ted DeZabala, principal at Deloitte & Touche LLP

Src: Cyber Crime Called Out as 'Clear and Present Danger' by Deloitte's New Center for Security... -- NEW YORK, Jan. 25 /PRNewswire

QOTD - Bayuk on Security

2010-01-27T05:08:00.000-08:00

If a boss thinks that security procedures can be sacrificed, then the staff will sacrifice them, no matter how many documents Human Resources may make them sign that state the contrary. -- Jennifer Bayuk, book author, consultant, and former chief information security officer at Bear Stearns

Src: Former Bear Stearns exec pens security guide - USATODAY.com

QOTD - Yoran on Cyber Threats

2010-01-26T04:14:00.000-08:00

Every network with any size to it has been compromised in the past year or two. Advanced stuff is getting through pervasively. It’s simply impossible to protect an enterprise today. -- Amit Yoran, CEO of NetWitness & former chief of the Homeland security department’s national cybersecurity division.

Src: Cyberattack threat to US groups | FT.com

QOTD - Bayuk on Security

2010-01-25T09:12:00.000-08:00

I am not advocating any one big brother, just multiple simultaneous watchdogs that would be able to coordinate efforts in a crisis because they each individually understand how genuinely valuable their own security is to them. -- Jennifer Bayuk, book author, consultant, and former chief information security officer at Bear Stearns

Src: Former Bear Stearns exec pens security guide - USATODAY.com

QOTD on Cyber Threats

2010-01-25T05:47:00.000-08:00

Targeted attacks are part of everyday life now, and the sooner people wake up to this, the better prepared they can be. -- Zane Jarvis, AusCERT senior information security analyst

Src: Old software leaved the door open for net nasties | The Australian

QOTD on the Democratization of Espionage

2010-01-25T05:39:00.000-08:00

Brian Krebs asks Roland Dobbins, solutions architect at the Asia Pacific division of Arbor Networks, about the meaning of the current situation with cyber spying, botnets, and the low level of risk for those engaging in such activities. Roland replies:

Because it's so cheap through the use of botnets for bad guys to get this information, ordinary people are essentially the targets of espionage in a way that has never been true before in human history. Their personal information is being targeted by folks who have resources that in many cases are beyond what nation states would have been able to bring to bear only ten years ago.

Src: Botnets: "The Democratization of Espionage" - CSO Online - Security and Risk

QOTD on Toxic Data & The Enterprise

2010-01-24T05:30:00.000-08:00

The best thing enterprises can do now is examine their security program to make sure that it includes healthy balanced diet of controls that protect both toxic data and secrets. -- Andrew Jaquith, Senior Analyst at Forrester Research

Src: The attack on Google: What it means - Community - ComputerworldUK

How Bad Passwords Lead to Breached Accounts

2010-01-23T05:09:00.000-08:00

Imperva's analysis of the Dec 2009 breach of 32 million RockYou username & passwords provides a window into the average user's password practices: poor (to say the least). Among the findings listed in the report:

The top passwords were:

#1: 123456
#2: 12345
#3: 123456789
#4: Password
#5: iloveyou

30% of users had passwords of 6 characters or less.
Almost 50% of passwords were composed of: "used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
Less than 4% of passwords had any special characters.

Given some basic assumptions about an average DSL connection, the report concludes that

a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts.
[...]
After the first wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts.

One of the recommendations is for administrators to

Make sure passwords are not kept in clear text. Always digest password before storing to DB.

I believe it is irresponsible that some web-based applications are still storing passwords in plain text, and just as bad, to be able to send you your "old" password (meaning the password is either stored in plain text or in a reversible "encryption" format).

Note: emphasis is mine

Src: Imperva report - Consumer Password Worst Practices

The Fallacy of Secure Software?

2010-01-22T17:48:00.000-08:00

Justin Clarke, lead author of "SQL Injection Attacks and Defense," wrote a guest blog entry for fudsec.com dealing with Software Security. He mentions the two top SecSDLC models, OpenSAMM and BSIMM, and goes on to write:

...what is the activity that both OpenSAMM and BSIMM both consider to be the most important things with developing secure software? Pentesting? Code review?

Nope - it's having someone who is championing and driving software security within the organization. Having a group of folks who are ready and willing to shepherd and drive through all of the various changes to how the organization works over time. These are sometimes (in BSIMM in particular) referred to as the Software Security Group (SSG), and in many cases can be make or break in getting adoption and use of security initiatives within the organization.

After all of that, it turns out the best thing for software security in your organization may well be you...

Note: emphasis kept from the original document.
Src: The Fallacy of Secure Software | fudsec.com

QOTD on Industrialized Malware

2010-01-22T05:02:00.000-08:00

Malware is "becoming 'industrialised', with an underground economy growing up around it. The malware used to infiltrate target computers is professionally packaged and sold online, often with licence agreements and support contracts; and would-be criminals can rent the computing resources they need to engineer an attack from owners of 'botnets' – vast networks of compromised machines that can be controlled remotely." -- Jessica Twentyman, in the Financial Times

Src: Every IT user is at risk from cyberattacks | FT.com

QOTD - @Dakami on Aurora

2010-01-21T05:49:00.000-08:00

Ultimately, vulnerabilities happen. They happen to Web browsers -- all of them -- they happen to document readers -- all of them -- and they happen to operating systems and even network infrastructure. -- Dan Kaminsky, Director of penetration testing for IOActive.

Src: 7 Steps For Protecting Your Organization From 'Aurora' | DarkReading

Google, Privacy, & Schneier

2010-01-20T14:37:00.000-08:00

A quick set of quotes to show differing perspectives on Privacy. Google' CEO, Eric Schmidt, made a statement on privacy that is likely to have worried many privacy advocates:

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.

Bruce Schneier's response (on his blog) uses materials from one of his posts from 2006:

Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance.
[...]
Privacy is a basic human need.
[...]
Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.

European governments and citizens have traditionally been a lot more careful and diligent with protecting one's privacy. The global, connected, world we live in may just end up benefiting from such principles. For more information about Privacy Principles, I refer you to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

Src: My Reaction to Eric Schmidt | Schneier on Security

QOTD on Cyber Threats

2010-01-20T05:30:00.000-08:00

For a sophisticated adversary, it’s to his advantage to keep your network up and running. He can learn what you know. He can cause confusion, delay your response times – and shape your actions. -- Unnamed source

Src: Spooks in the Machine: How the Pentagon Should Fight Cyber Spies | Progressive Fix

QOTD on Security vs Risk

2010-01-20T05:21:00.000-08:00

An organization with a zero failure rate is an organization that takes sure things, not risks.
Assuming you want to take real risks and accept some failures as an inevitable by-product, your first step is to find all the structural factors that are in place to discourage risk-taking.
Start with information security. Is it operating according to the risk profile you want, or is it in full prevent mode, trying to maximize security rather than optimizing it? -- Bob Lewis, writing for InfoWorld.com

Note: emphasis mine

Src: Wanted: IT risk-takers | Adventures in IT - InfoWorld

QOTD - Litan on Defeating 2-Factor Auth

2010-01-19T05:15:00.000-08:00

Criminals are successfully launching man-in-the-browser attacks that circumvent strong two-factor and other authentication that communicate through the user's browser. The fraudsters are also successfully having telecommunication carriers forward phone calls used to authenticate users and/or transactions to the fraudster's phone instead of the legitimate user's phone. These attacks were successfully and repeatedly executed against many banks and their customers across the globe in 2009. While bank accounts are the main immediate targets, these attack methods will migrate to other sectors and applications that contain sensitive valuable information and data within the next three years. -- Avivah Litan, Vice President and Distinguished Analyst in Gartner Research

Src: Where Strong Authentication Fails and What You Can Do About It | Gartner