Good Fences: An Information Security Blog

The Password is Dead, Long Live the Password

2010-09-03T07:00:00.000-07:00

This article from Information Week relates the ease by which a Graphics Processing Unit on a readily available graphics card renders 7 character passwords useless because they are too easily guessed.
So is the Password dead? Beyond dead, a pile of bones picked clean?

To answer that, you have to think of the threat in the larger context. That's true of any security arm-waving you encounter.

Consider other attack vectors sharing the same outcome (credential theft) or the same ultimate goal.

Then, think about the various security controls that address the steps in each of these attack vectors.

Only with this sort of methodical, thorough analysis can you get a good handle on the issue. For example...

Consider that the attack described in the article, a brute force password guessing attack, where the ciphertext / hash of a password is known ahead of time, is just one vector for password compromise.

Provided that the attacker cannot get the ciphertext in the first place (the /etc/shadow or the NTLM hash or what have you), then this kind of offline password guessing is rendered useless, itself.

So don't let the bad guys get your encrypted passwords.

Your controls (flaw remediation/patching, access control enforcement, and so forth) should reduce the likelihood of this significantly.

Another attack vector is that of brute force guessing against a logon interface. This attack can be hampered by logon failure delays that slow down the process and by account lockouts where several failed logons within a particular time window lock the account.

A way around these controls is to guess one password, each, for a long list of accounts. This delays the time between guesses for any one account. Even if you exceed threshold of failed logons on that account, it happens outside the time window.

Logging combined with solid monitoring will, hopefully, notify someone of repeated logon failures. The logging part is easy. The monitoring can be harder, requiring some combination of technical and people/process solution (think SOC / incident response / CIRT).

Using a keylogger delivered through malware is probably a much easier way to steal credentials. A host of controls have to be in place to protect users from themselves, and protect operating systems from infection by such stuff.

So should we protect ourselves from GPU-based password cracking? The problem is that the solutions are expensive or onerous. Complex 12-character passwords are going to wreak havoc amongst the user community and use of smart cards or tokens or whatever, are going to cost a fortune.

Is this the best place to spend scant security dollars? Or should you spend your infosec budget on a stone that takes out two birds?

That is, controls that not only protect password hashes but the other sensitive data on your servers and networks? You need to do that anyway.

Verizon's Insider Threat

2010-08-27T07:00:00.000-07:00

You've heard the psuedo-axiomatic bull-puckey that 80% of attacks are internal. As if this were universally true everywhere on Earth and everyone just "knows" this fact, like they know the hue of the sky.

Somewhere along the way (I was hearing this when I first got into infosec in the mid 90's) some government study came to this conclusion. Quite possibly the CSI/FBI computer crime surveys were at the root, I really don't know and it really doesn't matter.

I'm not saying there isn't insider threat. Or that insider access increases impact of successful attacks thus increasing risk. I'm not even particularly disagreeing with 80% because I'm sure there are cases where that figure is accurate.

But we as infosec professionals have to understand our own unique threats rather than blindly quoting some nearly urban-legendary statistics as if it applies everywhere.

Verizon's insider threat data, according to this article, lends some credence to the notion of insider threat being a big deal. Where bigness of deal varies from company to company. It also suggests that the problem--at Verizon, specifically--isn't as bad as the oft-quoted 80%.

Less interesting than the actual numbers, to me, is the fact that they collect these metrics in the first place. Do you? Should you? I think so. How do/would you go about it?

And at the same time remain mindful of the fact that we don't know what we don't know? I hate it when infosec professionals tell me, for example, "we've had xxx incidents this year" and forget to add on the phrase "that we know of".

Facebook Clickjacking Scam

2010-08-19T07:00:00.000-07:00

More bad things on Facebook: This Network World article speaks of a Facebook clickjacking scam that entices users to view some photos or some such. It hides a functional Share button underneath a Next button with some social engineering that entices users to click, unknowningly spreading the worm/thingy, then they are taken to a survey that generates money for the scammers.

No Script detects the attack. Cool. I've just started using this add on myself. It seems to add a pretty solid layer of defense to Firefox.

Facebook Dislike Button Scam

2010-08-18T07:00:00.000-07:00

All you overly paranoid Infosec people who scoff at the slightest hint of risk taking can just take a chill pill right now. It'll take you a few years to learn--and I hope you do learn for the sake of the companies you're supposed to be protecting--that there's no place for ultra paranoia in the business world. Maybe I'll explain that in another post.

I bring up this point because I can just hear some infosec folks sniffing arrogantly when I admit that I use Facebook. Well, guess what, I am balancing risk versus benefit, something those sniffly infosec people should try sometime.

There are risks I'm taking using Facebook and, in fact, I did get partially snookered by the Facebook Dislike Button Scam. In that I clicked "like" when I saw the thing. I didn't actually use it. And I'd like to believe that if I had, I'd get suspicious of it trying to do a survey and I would disallow access to it in the end.

Guess what, social engineering works beautifully, even occasionally on an infosec pro. There's no way to reliably patch wetware against it.

The best we can do is achieve a reasonable, helpful level of paranoia that prevents us from doing overly stupid things.

Then hope the rest of our technology defenses protect us from our slightly stupid mistakes.

2009-07-13T06:00:00.000-07:00

Yet another example of the trusted insider threat against intellectual property.

In the days before his June 5 resignation from Goldman Sachs, Aleynikov copied, encrypted and transferred approximately 32MB of proprietary code to a server located in Germany, the FBI claimed

Exfiltration is a difficult threat to address. You can try to prevent it by limiting outbound protocols and connectivity. But covert channels are always possible, even something as simple as uploading using a protocol other than HTTP running over port 80/tcp.

Detection may be possible if you have a device that can detect proprietary keywords. A proxy server requiring authentication and providing adequate logging can facilitate incident response: determining the extent of the incident and finding the culprit.

I deduce that Goldman Sachs is either lucky or has a pretty good start on solving this problem.

Aleynikov resigned to take a job with a new company "that intended to engage in high-volume automated trading," for triple his $400,000 salary, the complaint said.

...he was allegedly a vice president of equity strategy.

The reality is, the higher you go up the executive chain, usually the harder it is to enforce rules. That's another reason that security programs are only successful when the CEO and board want it, demand it, and make sure they get it.

FTC persuades court to shutter rogue ISP

2009-07-08T12:47:00.000-07:00

I feel the recent action of the FTC against a rogue ISP, documented in this article, marks a shift in the tides in the war against spam.

It seems much of the junk email originates from ISPs that refuse to follow the rules, allowing anonymous spammers to register domains with false information.

As a user of Knujon for some time, I've been eagerly reading about their recent successes working with ICANN for stricter enforcement of rules, resulting in many rogue ISPs being shut down.

As of this writing, Knujon has shut down over 200 thousand junk email sites according to their website. I've already written about Knujon, but it seems the momentum is building.

Shutting down rogue ISPs can be successful in making the cost/benefit equation less favorable for spammers and criminals by making domains harder and more expensive to obtain. If so, perhaps we will start to see a noticeable decline in spam around the world. Maybe it has already started? Or maybe not.

The problem is giant, so I suspect it will still be some years away, but I think we are seeing the signs that this approach will work.

The article above also mentions that other criminal activity was curtailed by shutting down this rogue ISP. Cool.

Sometimes non-technical solutions really are the answer.

Criminals Steal $415k from Bullitt County

2009-07-03T23:32:00.001-07:00

I am getting kind of burned out on computer security. I know, I know, it's only been 14 years that I have been in the trenches and, after all, we are making such tremendous progress in the infosec industry in that brief span of time.

Now instead of curious geeks hacking computers for fun and irritating people, we have widespread criminal activity. Instead of passwords, we're now using... um. Nevermind. And we went from having no network boundary enforcement to... err... having no network boundaries. Software security bugs are a thing of the past. And present. And forseeable future. But hey, at least hackers are targeting networks and systems less. Now they're just targeting people and client software. Cool. That's lots better.

Speaking of criminal activity. Here's yet another example of a phishing attack working. Criminals stole over $400,000 from a municipality's bank account. Why did this attack work? You could blame user(s) for giving away the info, falling for the phishing scheme. Or blame it on a lack of awareness training. But folks, the phishing attacks are getting so sophisticated even very experienced infosec professionals have a hard time.

Seems to me these attacks work because it is difficult to reliably verify trustworthiness of messages or senders. The same issue makes it easy for spammers to make / steal money. With a widely deployed SMTP infrastructure, how do we make improvements?

CanSecWest Browser Hacking Contest - what a help

2009-05-13T13:15:00.000-07:00

SecurityFocus article is here.

Security researcher Charlie Miller held onto a vulnerability for an entire year, before using it on Wednesday to win $5,000 and an Apple laptop at the Pwn2Own contest here at the CanSecWest conference.

I'm not sure which is least responsible, someone hanging onto a vulnerability for a year or holding contests that encourage this kind of behavior. Ok, sure, Safari isn't exactly widely deployed so maybe the bad guys didn't also discover this and exploit it for a year.

Another individual, Nils, successfully exploited an out of the box Explorer 8 on Windows 7. Given all the security features added to both, I think that's a pretty impressive feat.

USA Today: Hackers got into 18 computer servers at World Bank

2008-10-19T07:31:00.000-07:00

Did you see the USA Today article on the World Bank intrusions?

Cyberintruders used the Internet to crack into at least 18 computer servers at the World Bank Group last July.

One bank memo lists the breached servers and makes this assessment: "As of 9/9/08 we have determined that 5 of the compromised servers contain sensitive data, and care must be taken to determine the amount of information that may have been transmitted outside of the World Bank Group."

Wow, sounds like old school system penetrations. And here we thought all the hacking nowadays was through browser and email exploits.

Banks, indeed, are not the only targets. Corporate intrusions in general are on the rise, says Phil Neray, vice president at database security firm Guardium. Cybercrooks seek out PCs used by privileged insiders so they can access sensitive databases and other PCs. "Many organizations don't have any real-time monitoring or alerting mechanisms in place to identify unauthorized activities," Neray says.

Hopefully the state of information security in private industry is a lot better these days but somehow I doubt it. The risk needs to be palpable enough for CEOs to give a crap. As for the realtime monitoring, that should really be the last line of defense. The detective control to catch whatever preventative controls don't.

To me this type of article underscores the need to look at security in breadth across the enterprise as well as in depth. It's like securing a house. You don't put an iron door on a tin shed. Hackers are looking for the one way in. So make all the ways in a little bit harder.

Infosec Fortune Cookie Friday

2008-09-05T13:04:00.001-07:00

Mitigating a risk with a stringent security control can create its own risk: that of business interruption.

Replacing Passwords

2008-09-04T05:27:00.000-07:00

NY Times has an article on authentication without using passwords.

The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.
...
As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.
...
“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.

While I don't deny that passwords have their problems, I want to think this solution over a little. Meanwhile, if anyone out there is awake, I'm curious to hear your thoughts.

Changes

2008-08-08T03:45:00.000-07:00

All I can say to this is, 'bout time:

IT directors will play a dramatically reduced role in working with security professionals, says the Information Security Forum, which has issued a report that outlines how businesses' view of security is evolving. Chief risk officers, chief security officers and chief operation officers will be more involved in security strategy, according to the ISF. The change is fueled by Enterprise Risk Management and companies' increasing vision of merging physical security with information security, reports the ISF. Network World (07/31)

The downside of the above is that information security requires highly technical solutions and so either security talent has to migrate and disperse into IT organizations (not a bad thing) or strong ties between infosec talent and IT have to remain, or perhaps both. Otherwise infosec becomes all high level strategy with extremely poor execution. The Network World article goes on to say:

less than 3 out 10 information security professionals believe they are focused on delivering solutions to the business.

When you hear people talking about information security enabling the business, this is what they are talking about. The goal isn't simply to prevent or reduce risk. It's to enable the business to move forward with opportunities but with a tolerable level of risk. To do that you have to come up with creative solutions-- finding ways to say yes instead of no.

Davies points out that there is currently a large increase in information security professionals reporting to chief risk officers (CRO), chief security officers (CSO) and chief operation officers.

Infosec stepping away from IT makes it more difficult to build trust and alliances at the worker level which is crucial in building a security culture where IT personnel help the security group rather than avoiding them. Appointing infosec point of contact within various IT organizations can help.

The upside of this move outside of IT is that the struggle between sometimes opposing goals of IT and Infosec can happen at a higher management level where it often belongs. Infosec can gain a bit more authority, to be weilded very carefully, of course. This arrangement also gives the proper business focus to security groups and provides better visibility of security issues to upper management.

DNS

2008-08-01T08:31:00.000-07:00

So, how about that DNS vulnerability, huh?

Brings back memories of the days gone by when vulnerabilities and attacks regularly threatened the entire internet rather than being as targeted as they are now. Well, I guess this time there's a pretty ubiquitous hole that can be used for targeted attacks until folks patch. If they haven't they're nuts.

Meanwhile... Dan K suggests using OpenDNS since they were fixed before many ISPs. Having one place provide DNS to a lot of people kind of paints a giant target on their backs but then again that's no different than any major ISP's DNS servers. OpenDNS beat a lot of ISP's to the punch in patching so maybe that is an indiciation of the kind of shop they run. Plus they offer content filtering, typo fixing, and phishing protection features. Nice.

But, you probably knew all that, right?

So why didn't you tell me? :)

Infosec Fortune Cookie Friday

2008-08-01T08:29:00.000-07:00

It is written: One who swings the great bat of authority cannot spare a helping hand.

Infosec Fortune Cookie Friday

2008-07-11T08:37:00.000-07:00

It is written, one who only says "no" with arms folded and lips pursed builds only adversaries, not security. And should be slapped. Hard.

One who seeks a way to say "yes" shall find many allies to help him along the long and twisting road to a secure organization... unless the CEO drives him nuts first...

One who says "no" should not merely explain why afterwards, but beforehand, too...

One who writes fortune cookie sayings about security really needs a vacation...

Missing Backup Tapes

2008-06-10T11:13:00.000-07:00

C|Net News article: Bank of New York Mellon says customer data exposed

The Bank of New York Mellon says sensitive data of more than 4 million people owning shares in public companies was exposed after a box of back-up data storage tapes went missing in February. The data included names, addresses, and Social Security numbers.

Where the hell do these tapes go, anyway? When I read these tapes-gone-missing articles I always picture armed robbers running the tape truck off the road ala some kind of armored car heist. But no, they just go missing, they're not proven to be stolen. It must be the work of Chinese hackers taking a break from planting rogue trees to disable the nation's power infrastructure.

I've been out of the loop on backups for awhile. Does backup software make it easy (if not the default) to encrypt data? If not, it's definitely time.

Hacker Safe

2008-05-30T08:32:00.000-07:00

Does McAfee's Hacker Safe badge (aka ScanAlert) really suggest a consumer is safer shopping at a site displaying this badge? By now you've probably heard the answer is no.

Russ McRee's blog post and video show that "Hacker Safe" should not be taken too literally: the websites displaying this badge are not necessarily safe from hacking. Many are explicitly vulnerable.

Rather than adding to the emotion and arm waving, I thought it might be helpful to look at a couple of specific points.

Assuming "Hacker Safe" is intending to suggest the site is safe from hackers; nevertheless, security professionals know, as should the general public, that perfect security and perfect safety are not possible in an imperfect world populated with error prone people.

Scanning a site and finding no known vulnerabilities has never meant the site was safe, and it never really showed a completely accurate view of risk. Although five or ten years ago this type of scan offered more assurance than it does today. Why? The growth of criminal hacking activity, 0-day attacks, targeted attacks, and the increase in browser- and malware-based attacks means the other attack vectors and unknown attacks are more likely to be used now than they used to be.

So what gives an accurate picture, other certifications like TRUSTe? Maybe. Any certification, whether of website's security or a security professional's skills and experience, or a Jeep's off-road capability, are a shortcut to highly detailed, long term, careful, knowledgeable evaluation of real world performance. Certifications are, in a sense, a mechanism for transferring trust (or, call it confidence), from the certifier in the subject under scrutiny to the individual evaluating the subject. If the individual trusts (has confidence in) the certification, then they can transfer their trust (confidence) to the certified subject.

The key question is how much trust you have in the certification. The hacker doesn't care if you're certified, she just finds a vulnerability and uses it. A person can have an alphabet soup after their name but what matters is whether they can do a good job as a security pro. The rocks that you hang up your Jeep on probably knocked the Trail Rated badge off already.

But if the certification is objective, considers enough factors, and tests thoroughly enough, then the certification more closely approaches a measure of real world performance without taking the time necessary for each person to evaluate the subject in depth. All we have to do is evaluate the evaluation.

Some type of certification is usually better than nothing at all but in the case of "Hacker Safe" it appears to be more focused on marketing than on a useful, objective evaluation. Combined with the name of the program itself, trust in this certification probably should be fairly low. Perhaps McAfee will improve it as ScanAlert, looking for XSS, and denying use of the banner to sites that don't pass the tests.

Meanwhile we continue to rely on personal methods for risk mitigation: watching our bank and credit card statements, checking credit ratings periodically, etc.

Targeting Restaurants

2008-05-24T04:48:00.000-07:00

Just in case we forgot that modern computer criminals are intelligent, motivated human beings, likely to select whatever target works best to meet their goals, here's an article on several who decided to put the crosshairs on Dave & Busters restaurants for financial info and came away with thousands of credit cards. As internet crime becomes more of a widespread daily threat to the average Joe, I guess we all need to get better at personal risk mitigation.

You Know about KnujOn?

2008-05-21T04:21:00.001-07:00

Who loves spam? Anyone? Well, some boneheads out there actually send money to attempt to buy stuff listed in spam. Grr. The rest of us hate it and want it gone.

There's a guy out there who decided to fight back and formed KnujOn (spell it backwards). Anyway, he's been really successful in shutting down sites and turns out most of the spam is concentrated among a small number of registrars, some in China and one, Dynamic Dolphin, not far from my home here in Colorado if one is to believe the address information.

Here's his article on the top 10 worst offenders. Want to help? Have a look at his website and start reporting your spam to him per the directions.

The Insider Threat

2008-05-01T06:47:00.000-07:00

How many times have you heard it? Insider threat makes up 75% of cyber attacks. Or, is it 80% ? Or 85%?

Enough already! I can't take it any more!

I first heard this 10 years ago as a fledgling infosec geek from a company called Trident Data Systems who quoted a government study pegging the number at 80%. Since then I've heard this type of statistic quoted at anywhere from 50% to 90%. Studies and surveys seem to post lower, but similarly diverse, numbers.

So, I'm getting a wee bit weary of hearing people quoting this apocryphal statistic, passing it around. So much so that now I have to coin a new term: "urban statistic."

...On the other hand, being able to play the FUD card at any time is kind of handy. Why analyze threats and risk and apply appropriate controls? That's too hard. It's so much more fun to just scare people. F-U-D -- that spells "security"!

And besides, everyone knows 90% of all statistics can be made to say anything....

50% of the time.

Google Street View Becomes Driveway

2008-04-18T05:24:00.000-07:00

This article on SecurityProNews describes a situation where a Google Street View camera car enters and films someone's driveway.

When The Smoking Gun tipped off Janet McKee as to Google's impromptu visit, she said it was "a little bit creepy to think of someone filming our home without me knowing about it."

The Google camera car left public property (prohibited by Google) and drove up the couple's winding driveway. The reaction would have probably been different had the images not found themselves at the fingertips of billions.

This is dumb, but I admit it does creep me out a little bit that my own house is viewable by the planet. But why? Instead of people having to physically be present to ogle my abode -- so I can see them by peeking out the window -- they can anonymously view it at any time, entirely unknown to me.

Whereas I rely on the obscurity afforded by the physical world's limitations, when those limitations go away, what is the impact to my privacy, confidentiality?

Should I throw a tarp over the Jeep lest someone stumble across my street view and find themselves a cheap source for parts?

Should I worry that criminals now have an easier time casing my house?

For now, the world's internet users still have to click their way to our houses. But as more information comes online about each of us, we'll have to rethink some basic assumptions about our security and privacy.

Targeting Oddball Platforms

2008-04-15T13:35:00.000-07:00

Another article on targeted attacks. Larry Seltzer makes an interesting point towards the end of the article about the use of oddball operating systems and applications.

Some experts might recommend that you use alternative platforms like the Mac or OpenOffice, but these really don't help at all with targeted attacks. If someone's rolling out a new vulnerability for a targeted attack, it's just as easy for them to do it on OpenOffice and the Mac, which have numerous vulnerabilities, as for Windows. In fact, it's easier and cheaper for them to do it on the alternatives, where the price for a new, unpatched vulnerability is probably much cheaper than for Windows.

I'd think oddball platforms probably help with mass attacks. Those attacks are more likely to target Windows and more likely to be a bigger issue for home users. So, switching over to an alternative platform could make more sense for the home user; the cost/benefit analysis probably looks different than it would to an enterprise.

What makes the most sense, I think, is to make sure you continue patching regularly, and use security software like firewall, anti-spyware / anti-virus. When I say "firewall" I mean the kind that detects and blocks outbound network traffic on a per-process basis as well as inbound traffic.

Advance Auto Parts Store Data Breach

2008-04-02T05:17:00.000-07:00

From The Register:

Advance Auto Parts, the US motoring parts retailer, is the latest firm to give up customer credit card data to hackers.
The bad guys gleaned financial information on up to 56,000 customers, through an attack affecting 14 stores nationwide...

Advance Auto Parts website provides more information. So this only affects a handful of stores. Interesting. Methods and perps unknown.

I'm a big fan of companies being held accountable to standards of due care in the form of PCI standards and legal obligations. Significant penalties encourage companies to do the right thing.

Having worked at companies whose execs and upper management didn't give a rip about data security, due care, or anything that didn't involve raking in money, and having heard from more than a few infosec peers that this is the rule, not the exception, the only way my data and yours is going to stay protected is through penalties.

Penalties that significantly affect the bottom line --- or better, penalties that personally affect CEOs: in the form of wearing orange jumpsuits. The only reason SOX got any traction in companies is the threat of jail time for management. HIPAA has been largely ignored by a surprising number of healthcare companies. Bigger fines and jail time for execs would fix that fast.

And remember, we wouldn't even be hearing about these breaches in the first place if it weren't for California's SB1386 and all the copycat state laws that states created thereafter. The effect of these laws should be obvious to anyone following infosec news before and after 2003. Companies were hardly voluntarily disclosing data breaches --- until they were required to by law.

Even then, I'll bet cash money there are still companies ignoring this requirement. I've already posted about delayed notifications. Penalties and laws don't fix everyone and everything, but they do help to counter temptation and encourage honesty.

Radio Tracking for Backup Tapes

2008-04-01T06:11:00.000-07:00

Fujifilm bugs backup tapes with LoJack device

Looks like it runs $150/mo to track your tapes and reduce the likelihood of tapes going missing as has happened to quite a number of organizations over the last few years.

Is this really the best solution? How often do tapes go missing and how much damage does it cause? What level of risk mitigation does this technology afford? How does encryption of the data on the tapes compare in cost? Those are the questions I'd be asking myself if I were in a position of managing this risk.

I think I'd rather know my lost tapes were unreadable than to possibly know where my readable lost tapes were. Y'know?

I say "possibly" because I am guessing the lojack thingy is probably not 100% tamper resistant.

Michael

Laptop theft exposes patients' medical data

2008-03-28T17:24:00.000-07:00

Laptop theft exposes patients' medical data (C|Net News)

The computer was stolen in February ... but officials did not notify the patients of the theft until Thursday, saying they didn't want to spread unnecessary alarm, according to The Washington Post.

Pure infosec brilliance.